Tom,Just tested your fix. Everything seems to be working perfectly from the outside and the inside.
Many Thanks, Nigel. On 1/18/2017 10:12 AM, Tom Eastep wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/18/2017 07:01 AM, Nigel Aves wrote:I've become a little stuck on setting up ipset correctly. I followed the instructions from an email as follows: DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info and in Rules at end ADD(SW_DBL4:src) net $FW and after some testing everything seemed to be working all OK. Using Shorewall 5.0.14.1 I have port 80 (web server) and 25 (Postfix server) open in my Rules file. Internal network using 192.168.1.1 on eth1 But as soon as I tried using the browser on my local network machine web sites, like Facebook, just stopped working. I've tried to find a simple (I'm no IT specialist, just home hobbyist) explanation as to what I have done wrong or missed, and seemed to have hit a brick wall. If someone could point me in right direction I would be very gratefully. Kind Regards, Nigel Aves. In case it helps, here is my rules file. DHCPfwd/ACCEPT loc fw # # DHCPfwd/ACCEPT $FW loc # # Accept for web -server ACCEPT net $FW tcp 80 # no ssl # ACCEPT net $FW tcp 443 # # # Turn FTP off when not transfering files from VideoKing # # FTP/ACCEPT net fw - 21 # ACCEPT net $FW tcp 6000:6100 # ###### use Webmin while away, turn off when returned. Here is the setting # Don't forget to turn on for trips. # # ACCEPT net $FW tcp 1xxxx # # SMTP/ACCEPT net $FW - 25 # DNS(ACCEPT) $FW net # Accept DNS connections from the firewall to the network # SSH(ACCEPT) loc $FW # # Accept SSH connections from the local network for administration # Ping(ACCEPT) loc $FW # # Allow Ping from the local network # # ## Internal accepts # #Cable TV forward DNAT net loc:192.168.1.180 udp 27177 DNAT net loc:192.168.1.180 udp 27178 DNAT net loc:192.168.1.180 tcp 27177 DNAT net loc:192.168.1.180 tcp 27178 # ACCEPT loc $FW tcp ACCEPT loc $FW udp # DNS(ACCEPT) loc $FW SMB(ACCEPT) loc $FW SMB(ACCEPT) $FW loc # DNS(ACCEPT) phone $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # ACCEPT $FW phone icmp # # turn on ipset to stop testing ports from outside # # ADD(SW_DBL4:src) net $FWI suspect that you are blacklisting the upstream DNS name servers. Try this: # # Filter out noise # Drop net $FW # # turn on ipset to stop testing ports from outside # ADD(SW_DBL4:src):info net $FW - -Tom- -- Tom Eastep \ When I die, I want to go like my Grandfather whoShoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYf6ITAAoJEJbms/JCOk0QBzcP+gKRcT1wkYJ3fGV0ETSvTW4T uyR5b6JnAYOQcv6iXT9H3t5BPjX2oeuz9sARuOxLp0fPiD4l6WZyg6JC4pmRo1fm uO4LNquBTmGimlJNS+HE86y8v19xTsubiofKumEekyYY4OVvxopogEVYA8B4k8tr U2cXkYIAbCM4r1sfF+tfkfZRVnEfaYhGNRIntVZLfFIjNKHYMiCW0P1gFFf14EkQ TuZ4I0v7Wn+p2ADeXi5xzcj1/1nxuLHWTIWxzrXcI6Kd1cRwbKLWvGY8zCuMBxSm Fgp4dL03gQQPwQ2pb9BhKGvi3Bk0CBjiMAWFQ9zFUgOJ7I79iAg384xffpzqd9/b a8gAtXDR7f01DU8nuAxJZxP78+2w23D8OOPSsoTNEY+44ghO7nElpP88UViaW2Yi UA1JcVo/fA6UMCPYyI1Z65vNVtmPyF1f65QIZWTd9AscoG3UsRFsNhHGihjjiGJP s/7Hh+RSE3UXq7b/LrvYFdEyNTyF+gUL1NzoiCaKZPEO1xiSPP71uoQ8IIufxDjt Bq+QL8uzPza+cSVizGG3BeAyUPndZWvruaMGYK7UvXii0KIIJ2WKDruwOJznpxVH OkRkQRyr21AEmgf5sqcA1xurDhYRK4owBGNreJ8hfcXxR1DO7ZkWgSHsQl8pdcIl +sUjPxll2PfUOca4CW7m =j8jw -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- from the desk of Nigel http://soft-focus-imagining.com http://twin-peaks-video.com
<<attachment: nigel.vcf>>
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
