Since both your lan and wan subnets are private, you're not going to receive
any unsolicited traffic from the internet unless you port forward to your
machine
in your wireless router. I don't see a gaping hole.
If you're worried about internal traffic, adjust your policy and rules files to
Bill
My only worry now is I left a gaping hole in the firewall with some
of the changes I made wildly trying to get shorewall working. I am
hoping that you can see in the previous post with the
"shorewall_dump.txt" if I did.
Thanks for yours and Tom's help
Jim
On 12/13/2017 08:08
Glad it's working.
That was just an example of how to log to BOTH /var/log/shorewall.log and
/var/log/messages. Use the 'notice' level to log both places. You don't need
it in your config. "I don't like Bob @ 192.168.2.44" is just my little bit of
humor.
The '?COMMENT' in Shorewall flags the
Bill
Attached is a corrected snat file and it is now working..! Yeah.
I added the 00-shorewall.log
Not sure how to use
rules:
?COMMENT I don't like Bob @ 192.168.2.44
REJECT:notice lan:192.168.2.44 wan tcp all
Should the line ?COMMENT I don't like Bob @ 192.168.2.44 be added to
If you want a cleaner log file, create this file
/etc/rsyslog.d/00-shorewall.conf :
if $msg contains 'Shorewall' then {
action(type="omfile" file="/var/log/shorewall.log")
# if ($syslogfacility == 0 and $syslogseverity >= 4) then stop # warning
# if ($syslogfacility == 0 and $syslogseverity >=
Tom
I attempted to follow the instructions below. But I failed the
gzip test.
Jim
On 12/12/2017 03:27 PM, Tom Eastep wrote:
On 12/12/2017 03:07 PM, jamby wrote:
Tom
On my system I get a file "shorewall-init.log" is that the dump you
referring to? Otherwise most messages
Tom
I think I got it right in the later message with the
shorewall_dump.txt file.
Bill
It originally was /var/log/messages but I changed it to
/var/log/shorewall but nothing ever is written there.
Even after the change it was writing to /var/log/messages. I was
hoping to have a
On 12/12/2017 03:23 PM, jamby wrote:
> Tom & Bill
>
> Attached is the output of the "shorewall dump" command.
>
> I changed LOGFILE = /var/log/shorewall but nothing is ever written
> there.
>
Now, neither of your ethernet interfaces has an IP configuration. Looks
like you messed
On 12/12/2017 03:23 PM, jamby wrote:
> Tom & Bill
>
> Attached is the output of the "shorewall dump" command.
>
> I changed LOGFILE = /var/log/shorewall but nothing is ever written
> there.
>
As described in the shorewall.conf manpage and in the FAQs, LOGFILE does
NOT specify where
You were posting excerpts from a log file earlier. Which one was it?
/var/log/messages ? That's where they would be on a Fedora 22 system.
Your shorewall.conf should have:
LOGFILE=/var/log/messages
Bill
On 12/12/2017 6:23 PM, jamby wrote:
Tom & Bill
Attached is the output of the
On 12/12/2017 03:07 PM, jamby wrote:
> Tom
>
> On my system I get a file "shorewall-init.log" is that the dump you
> referring to? Otherwise most messages get dumped into the
> /var/log/messages log file.
>
Here are the instructions from the URL I posted:
If Shorewall is starting
Tom & Bill
Attached is the output of the "shorewall dump" command.
I changed LOGFILE = /var/log/shorewall but nothing is ever written
there.
Thanks
Jim
On 12/12/2017 02:39 PM, Tom Eastep wrote:
On 12/12/2017 01:16 PM, jamby wrote:
Bill
from the FW I can ping out into the
Tom
On my system I get a file "shorewall-init.log" is that the dump you
referring to? Otherwise most messages get dumped into the
/var/log/messages log file.
Jim
On 12/12/2017 02:39 PM, Tom Eastep wrote:
On 12/12/2017 01:16 PM, jamby wrote:
Bill
from the FW I can ping out into
On 12/12/2017 01:16 PM, jamby wrote:
> Bill
>
> from the FW I can ping out into the internet. And Firefox will
> connect to websites.
> But from 192.168.2.8 neither will work. And nothing shows up the
> messages file.
>
> As frustrated as I am, I am sure its worse for you since you can't
Bill
from the FW I can ping out into the internet. And Firefox will
connect to websites.
But from 192.168.2.8 neither will work. And nothing shows up the
messages file.
As frustrated as I am, I am sure its worse for you since you can't see
what is going on here.
I am sure I have
If you want to accept traffic from the wan zone, add a policy before the wan
all DROP info line:
wan fw ACCEPT
wan all DROP info
OR add a rule:
SECTION NEW
ACCEPT wan:192.168.1.1 fw tcp http
Bill
On 12/12/2017 2:36 PM, jamby wrote:
Bill
Made those changes and
Bill
Made those changes and attached the new files. Still not getting it
to work.
Dec 12 11:19:19 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56014 DF PROTO=TCP
For Red Hat based systems, yes remove GATEWAY= from
/etc/sysconfig/network and /etc/sysconfig/network-scripts/ifcfg-enp3s0
Ensure that there is a:
GATEWAY=192.168.1.1
DEFROUTE=yes
in /etc/sysconfig/network-scripts/ifcfg-enp4s0
Bill
Tom
Ran that command and got this back
sudo ip route del default via 192.168.1.1 dev enp3s0
RTNETLINK answers: No such process
Attached the files for enp 3/4 s0
Jim
It will be in your Distrobution's network configuration file for enp3s0.
That would be the stanza for that interface in
On 12/12/2017 10:19 AM, jamby wrote:
> On 12/12/2017 10:16 AM, jamby wrote:
>> On 12/12/2017 10:05 AM, Tom Eastep wrote:
>>> On 12/12/2017 09:26 AM, jamby wrote:
Sorry Tom
I am not sure what you mean. Is that the Interfaces file and the
Default info?
#ZONE
On 12/12/2017 10:16 AM, jamby wrote:
On 12/12/2017 10:05 AM, Tom Eastep wrote:
On 12/12/2017 09:26 AM, jamby wrote:
Sorry Tom
I am not sure what you mean. Is that the Interfaces file and the
Default info?
#ZONE INTERFACE OPTIONS
wan enp4s0
On 12/12/2017 10:05 AM, Tom Eastep wrote:
On 12/12/2017 09:26 AM, jamby wrote:
Sorry Tom
I am not sure what you mean. Is that the Interfaces file and the
Default info?
#ZONE INTERFACE OPTIONS
wan enp4s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
lan
On 12/12/2017 09:26 AM, jamby wrote:
> Sorry Tom
>
> I am not sure what you mean. Is that the Interfaces file and the
> Default info?
>
> #ZONE INTERFACE OPTIONS
> wan enp4s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
> lan enp3s0
Sorry Tom
I am not sure what you mean. Is that the Interfaces file and the
Default info?
#ZONE INTERFACE OPTIONS
wan enp4s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
lan enp3s0 tcpflags,nosmurfs,routefilter,logmartians,dhcp
On 12/12/2017 02:58 AM, Bill Shirley wrote:
> You should define policy for fw:
> fw all ACCEPT
> lan fw ACCEPT
> The order of these is important. They should be at the top. This is
> probably why
> 192.168.2.8 can't talk to the fw (192.168.2.1). Get traffic flowing and
> then narrow
Bill
Made the changes you suggested but still not working. I ran the ip
command and attached a file of the output.
Thanks
Jim
these were trying to ping 205.171.3.65
Dec 12 06:43:21 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:21 nub kernel:
You should define policy for fw:
fw all ACCEPT
lan fw ACCEPT
The order of these is important. They should be at the top. This is probably
why
192.168.2.8 can't talk to the fw (192.168.2.1). Get traffic flowing and then
narrow
it down to what is allowed.
In your snat file you're
Thanks Bill
In the attached file are the zones, interfaces, hosts, masq (or
snat), and policy files. + shorewall.conf
Appreciate your time
Jim
11dec17.900 files from the new firewall router.
Zones
#
# Shorewall - Sample Zones File for two-interface configuration.
# Copyright (C)
Looks like a routing problem. Why is your internet traffic exiting on the lan
interface?
Dec 11 18:49:48 nub kernel: Shorewall:fw-lan:REJECT:IN= OUT=enp3s0 SRC=192.168.2.3 DST=216.235.100.1 LEN=67 TOS=0x00 PREC=0x00
TTL=64 ID=43171 DF PROTO=UDP SPT=34131 DPT=53 LEN=47
Someone's doing DNS
Hi
I am trying to replace my old version 4.5.1 on centos 6.9 with a
newer computer running centos 7 up to date with shorewall 5.0.14.1
I tied to follow the two-card sample but have done something wrong.
Currently the old machine is still working but the hard drive is on its
last legs.
30 matches
Mail list logo