Hi Tom,
Yess my Question was confused so i checked that warnings and i get confused
with the files resolv.conf & nsswitch.conf how can i know if that are
correct.
i verify the next warnings
-
If your Name Server(s) is(are) down then your firewall won't start.
-
If your startup scripts try to start your firewall before starting your
DNS server then your firewall won't start.
-
Factors totally outside your control (your ISP's router is down for
example), can prevent your firewall from starting.
-
You must bring up your network interfaces prior to starting your
firewall.
and that are correct but i cant start shorewall because of that:
aporta@proxy:~$ sudo shorewall check
Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /usr/share/shorewall/action.Drop for chain Drop...
Checking /usr/share/shorewall/action.Reject for chain Reject...
Checking /etc/shorewall/policy...
Adding rules for DHCP
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
ERROR: Unknown Host (mail.shorewall.net) : /etc/shorewall/rules (line 33)
I checked in the /etc/shorewall/rules and i veryfy that i can use only local
host and the FW take it (ACCEPT:$LOG loc:FELIPE-MSI.local.
net tcp 3200 # SAP) but if i search for WAN
host it didnt take (REJECT:$LOG loc net:mail.shorewall.net
tcp 80), my rules is in the adjunt file.!!!!! Do you speak spanish???
regards,
felipe
2011/8/26 Tom Eastep <teas...@shorewall.net>
>
> Do you know how to set up DNS name configuration in the next files:
>>
>
>
> -
>
> /etc/resolv.conf is wrong then your firewall won't start.
> -
>
> If your /etc/nsswitch.conf is wrong then your firewall won't start.
> -
>
> If your Name Server(s) is(are) down then your firewall won't start.
> -
>
> If your startup scripts try to start your firewall before starting your
> DNS server then your firewall won't start.
> -
>
> Factors totally outside your control (your ISP's router is down for
> example), can prevent your firewall from starting.
> -
>
> You must bring up your network interfaces prior to starting your
> firewall.
>
> Each DNS name must be fully qualified and include a minimum of two periods
> (although one may be trailing). This restriction is imposed by Shorewall to
> insure backward compatibility with existing configuration files.
>
>
> Those are just warnings about what may go wrong when you use DNS names.
>
> -Tom
>
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK CONNLIMIT TIME
HEADERS
# PORT PORT(S)
DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
# Trafico originado en la red LOC con destino el Firewall: loc2fw
ACCEPT:$LOG loc fw icmp 8
# Ping
ACCEPT:$LOG loc:$LOC_IP_SYSADMIN fw tcp 3389
# ESCRITORIO REMOTO
ACCEPT:$LOG loc:$LOC_IP_SYSADMIN fw tcp 5900
# ESCRITORIO REMOTO
ACCEPT:$LOG loc fw tcp 3128
# Squid Proxy HTTP
# Trafico originado en la red LOC con destino Internet: loc2net
ACCEPT:$LOG loc net icmp 8
# Ping
ACCEPT:$LOG loc net tcp 443
# HTTPS SKYPE
ACCEPT:$LOG loc net tcp 3389
# ESCRITORIO REMOTO
ACCEPT:$LOG loc net tcp 3299
# SAP
ACCEPT:$LOG loc:FELIPE-MSI.local. net
tcp 3200 # SAP
ACCEPT:$LOG loc net tcp 80
# HTTP WEB
ACCEPT:$LOG loc net udp 53
# HTTP WEB
#REJECT:$LOG loc net:google.com udp 53
# youtube
REJECT:$LOG loc net:mail.shorewall.net tcp
80
REJECT:$LOG loc net:209.85.0.0-209.85.254.254 tcp 80
# youtube
REJECT:$LOG loc net:209.85.0.0-209.85.254.254 udp 53
# youtube
# Trafico originado en el firewall con destino local: fw2loc
# Trafico originado en el Firewall con destino Internet: fw2net
ACCEPT:$LOG fw net tcp 21
# FTP
ACCEPT:$LOG fw net tcp 80
# HTTP
# Trafico originado en el Internet con destino Firewall: net2fw
ACCEPT:$LOG net fw tcp
3389 # ESCRITORIO REMOTO microsoft
ACCEPT:$LOG net fw tcp
5900 # ESCRITORIO REMOTO VLC
# Reglas DNAT originadas desde el Internet hacia red Local
ACCEPT:$LOG net loc tcp
3389 # ESCRITORIO REMOTO microsoft
ACCEPT:$LOG net loc tcp
5900 # ESCRITORIO REMOTO VLC
ACCEPT:$LOG net loc icmp
8
#DNAT:$LOG net loc:$LOC_IP_SYSADMIN
icmp 8 - 192.168.12.10
ACCEPT:$LOG net loc tcp
3299
#DNAT:$LOG net loc:$LOC_IP_SYSADMIN tcp
3299 - 192.168.12.10
ACCEPT:$LOG net loc tcp
3200
#DNAT:$LOG net loc:$LOC_IP_SYSADMIN
tcp 3200 - 192.168.12.10
# Proxy Transparente
#REDIRECT:$LOG loc 3128 tcp 80
#REDIRECT:$LOG loc 3128 tcp
80 - !192.168.3.20
------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
