-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/18/2017 07:01 AM, Nigel Aves wrote: > I've become a little stuck on setting up ipset correctly. I > followed the instructions from an email as follows: > > > DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info > > and in Rules at end > > ADD(SW_DBL4:src) net $FW > > and after some testing everything seemed to be working all OK. > Using Shorewall 5.0.14.1 > > I have port 80 (web server) and 25 (Postfix server) open in my > Rules file. Internal network using 192.168.1.1 on eth1 > > But as soon as I tried using the browser on my local network > machine web sites, like Facebook, just stopped working. > > I've tried to find a simple (I'm no IT specialist, just home > hobbyist) explanation as to what I have done wrong or missed, and > seemed to have hit a brick wall. > > If someone could point me in right direction I would be very > gratefully. > > Kind Regards, Nigel Aves. > > > In case it helps, here is my rules file. > > DHCPfwd/ACCEPT loc fw # # DHCPfwd/ACCEPT $FW loc # # > Accept for web -server ACCEPT net $FW tcp 80 # no > ssl # ACCEPT net $FW tcp 443 # # # Turn FTP off > when not transfering files from VideoKing # # FTP/ACCEPT net > fw - 21 # ACCEPT net $FW tcp 6000:6100 # ###### > use Webmin while away, turn off when returned. Here is the setting > # Don't forget to turn on for trips. # # ACCEPT net $FW > tcp 1xxxx # # SMTP/ACCEPT net $FW - 25 # DNS(ACCEPT) > $FW net # Accept DNS connections from the firewall to the > network # SSH(ACCEPT) loc $FW # # Accept SSH > connections from the local network for administration # > Ping(ACCEPT) loc $FW # # Allow Ping from the local > network # # ## Internal accepts # #Cable TV forward DNAT net > loc:192.168.1.180 udp 27177 DNAT net loc:192.168.1.180 > udp 27178 DNAT net loc:192.168.1.180 tcp 27177 DNAT > net loc:192.168.1.180 tcp 27178 # ACCEPT loc > $FW tcp ACCEPT loc $FW udp # > DNS(ACCEPT) loc $FW SMB(ACCEPT) loc $FW > SMB(ACCEPT) $FW loc # DNS(ACCEPT) phone > $FW # # Drop Ping from the "bad" net zone.. and prevent your log > from being flooded.. # Ping(DROP) net $FW ACCEPT > $FW loc icmp ACCEPT $FW net > icmp # ACCEPT $FW phone icmp # # turn on ipset > to stop testing ports from outside # # ADD(SW_DBL4:src) net > $FW >
I suspect that you are blacklisting the upstream DNS name servers. Try this: # # Filter out noise # Drop net $FW # # turn on ipset to stop testing ports from outside # ADD(SW_DBL4:src):info net $FW - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYf6ITAAoJEJbms/JCOk0QBzcP+gKRcT1wkYJ3fGV0ETSvTW4T uyR5b6JnAYOQcv6iXT9H3t5BPjX2oeuz9sARuOxLp0fPiD4l6WZyg6JC4pmRo1fm uO4LNquBTmGimlJNS+HE86y8v19xTsubiofKumEekyYY4OVvxopogEVYA8B4k8tr U2cXkYIAbCM4r1sfF+tfkfZRVnEfaYhGNRIntVZLfFIjNKHYMiCW0P1gFFf14EkQ TuZ4I0v7Wn+p2ADeXi5xzcj1/1nxuLHWTIWxzrXcI6Kd1cRwbKLWvGY8zCuMBxSm Fgp4dL03gQQPwQ2pb9BhKGvi3Bk0CBjiMAWFQ9zFUgOJ7I79iAg384xffpzqd9/b a8gAtXDR7f01DU8nuAxJZxP78+2w23D8OOPSsoTNEY+44ghO7nElpP88UViaW2Yi UA1JcVo/fA6UMCPYyI1Z65vNVtmPyF1f65QIZWTd9AscoG3UsRFsNhHGihjjiGJP s/7Hh+RSE3UXq7b/LrvYFdEyNTyF+gUL1NzoiCaKZPEO1xiSPP71uoQ8IIufxDjt Bq+QL8uzPza+cSVizGG3BeAyUPndZWvruaMGYK7UvXii0KIIJ2WKDruwOJznpxVH OkRkQRyr21AEmgf5sqcA1xurDhYRK4owBGNreJ8hfcXxR1DO7ZkWgSHsQl8pdcIl +sUjPxll2PfUOca4CW7m =j8jw -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users