In the dump you sent, I see tcp 6 431984 ESTABLISHED src=192.168.0.11 dst=209.85.129.147 sport=1092 dport=80 packets=5 bytes=711 src=209.85.129.147 dst=89.62.111.143 sport=80 dport=1092 packets=4 bytes=2376 [ASSURED] mark=0 use=1
which implies that the connection was established and packets exchanged. However, I don't see any other established connections from 192.168.0.11. Can you check syslog or shorewall.log to see if packets are getting dropped for any reason? A tcpdump on eth1 might be useful. tcpdump -n -i eth1 host 192.168.0.11 and then try to open a webpage from 192.168.0.11 Prasanna. On 3/28/07, Toralf Niebuhr <[EMAIL PROTECTED]> wrote: > i added this line > >> loc loc ACCEPT > because i din't know if the firewall could/would do anything if i > want to send file from one client to another. > > and those are ok (i think so) > >> loc fw ACCEPT > >> fw all ACCEPT > because i know exactly what service are runing on my server an i > didn't want to bother writing rules for each one of them. > > Am 28.03.2007 um 18:30 schrieb David Mohr: > > > Hi, > > a little OT, but I think worth pointing out: > > > > On 3/28/07, Toralf Niebuhr <[EMAIL PROTECTED]> wrote: > >> I have multiple cients in my network and a server with > >> dhcp,shorewal,.... > >> I wanted the server to be a realy tight firewall. > >> > >> so i created this /etc/shorewall/policy file > >> > >> loc net DROP > >> loc loc ACCEPT > >> loc fw ACCEPT > >> fw all ACCEPT > >> net all DROP > >> all all REJECT > > > > You do realize that this is really not a tight firewall. Giving your > > whole local network access to anything on the firewall is not a good > > idea. Also, for a 'tight' system, I would restrict outgoing requests > > from the firewall, at least to the net. And why do you have a 'loc loc > > ACCEPT' policy? Wouldn't that be only needed for bridges? > > > > You might be ok with your current setup, and I don't mean to > > criticize, but please don't call it tight :-) > > > > ~David > > > > ---------------------------------------------------------------------- > > --- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to > > share your > > opinions on IT & business topics through brief surveys-and earn cash > > http://www.techsay.com/default.php? > > page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users