RE: [Security Firewall] Cannot access firewall after adding masq entries

[Mitchell, Neill]

Hmmm. You can't add rules to a disconnected interface either e.g. DMZ without shorewall going bang. This is a real show stopper for me. If you can't configure a firewall before installing it into the final network then that's a real serious problem. This didn't use to happen with MNF 1. I think the link state detection is being a bit over zealous now.   Cheers. From: Mitchell, Neill [mailto:[EMAIL PROTECTED] Sent: 26 January 2005 15:53 To: 'security-firewall@linux-mandrake.com' Subject: RE: [Security Firewall] Cannot access firewall after adding masq entries Looks like I've have cracked it. As I suspected, if the interface is not plugged in then shorewall fails as it thinks the interface is not up. I plugged eth2 into a hub and it started working. Shorewall will fail if ANY of the masq interfaces are disconnected. This is not an ideal solution. You should be able to configure and test a firewall before deploying it. This problem prevents this.   Any ideas Florin/anybody?   Cheers. From: Doug White [mailto:[EMAIL PROTECTED] Sent: 26 January 2005 15:44 To: security-firewall@linux-mandrake.com Subject: Re: [Security Firewall] Cannot access firewall after adding masq entries Mitchell: I haven't been able to get masq to work either but I know how to get you back running:     Go to the physical box:      Log in as a user or admin       su      edit /etc/shorewall/masq (vi /etc/shorewall/masq)       delete the two lines you added        save and exit        type:  shorewall restart        it should run. Now you should be able to get into the firewall.  Go to the masq section and delete the two entries there then apply.  This will get you back to square one.  I have had no luck with the DHCP or the MASQ sections.  Nothing seems to work and I have spent about 10 hours on it.  I still have to static NAT everything and use a separate DHCP server.  Perhaps Florin or someone will write a tutorial on how to set up a dhcp network. Good Luck Mitchell, Neill wrote: Hi there.   Running MNF Beta 2 with latest naat rpms from florin's site. Everything was running fine until I added two masquerade entries and hit apply. I then lost the ability to web admin the firewall. I get a timeout when connecting to it. The entries I added were:   eth2:0.0.0.0/0  eth0 eth2:0.0.0.0/0  eth1   eth0 is my LAN, eth1 is my DMZ and eth2 is the WAN. I've checked the masq file and it contains the above entries. I have no custom rules. I have compared all the shorewall files with my MNF 1 firewall ones and I just can't see anything wrong. Nothing in the logs to indicate a problem. I have not hacked any files manually.   Any ideas?   Many thanks From: Administrador do Firewall [mailto:[EMAIL PROTECTED]] Sent: 26 January 2005 13:31 To: security-firewall@linux-mandrake.com Subject: Re: [Security Firewall] MNF2 beta is the last one? I need to install a MNF2 now, so how dificult will be to update de beta2 to beta3/final? Florin escreveu: Administrador do Firewall <[EMAIL PROTECTED]> writes: Is the MNF2 beta2 the last one? We will have a beta3 or the next one is the final one? a new beta3 iso image will be available very soon ... and THEN the final one. my 2cts, ____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________ _____________________________________________________________________ This message has been checked for all known viruses by Minuco delivered through the MessageLabs Virus Scanning Service. For further infomation visit http://www.minuco.com or alternatively mail [EMAIL PROTECTED].   _____________________________________________________________________ This message has been checked for all known viruses by Minuco delivered through the MessageLabs Virus Scanning Service. For further infomation visit http://www.minuco.com or alternatively mail [EMAIL PROTECTED]. _____________________________________________________________________ This message has been checked for all known viruses by Minuco delivered through the MessageLabs Virus Scanning Service. For further infomation visit http://www.minuco.com or alternatively mail [EMAIL PROTECTED] _____________________________________________________________________ This message has been checked for all known viruses by Minuco delivered through the MessageLabs Virus Scanning Service. For further infomation visit http://www.minuco.com or alternatively mail [EMAIL PROTECTED] _____________________________________________________________________ This message has been checked for all known viruses by Minuco delivered through the MessageLabs Virus Scanning Service. For further infomation visit http://www.minuco.com or alternatively mail [EMAIL PROTECTED] _____________________________________________________________________ This message has been checked for all known viruses by Minuco delivered through the MessageLabs Virus Scanning Service. For further infomation visit http://www.minuco.com or alternatively mail [EMAIL PROTECTED]