I had linux firewall, but it was not working, so i downloaded shorewall, and have tryed to configure it.

I have a computer for a router (slackware 11) and alsow i have webmin.

I read throught articles, and posts on the internet, but i havent found out how to fix my problem.

So here: (I have shorewall 3.4.4)

eht1 = Internet (cable modem)
eth0 = LAN ( internal )

Zones configuration :

#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Network interf:

#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect dhcp,routefilter,tcpflags
loc eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Policy:

#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
fw loc ACCEPT
net all DROP
all all REJECT
#LAST LINE -- DO NOT REMOVE

Rules:

#SECTION RELATED
SECTION NEW
ACCEPT loc all all
ACCEPT net all tcp 80
ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT net fw udp https
DNAT fw loc:192.168.2.196 tcp 7000
DNAT net loc:192.168.2.196 tcp 7000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Masq:

#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth1 eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

-----

My internet works on local computers (behind firewall), but i can`t get the firewall to forward ports, so I could use dc++ and utorrent and things like that.

any ideas?
P.S. i could have some lines too mush, beacuse i was trying other things. So if there is anything too much let me know.

DNAT rules are used for port forwarding. You already have one good DNAT rule to forward TCP port 7000 to your inside PC.
You need to add addition DNAT rules for each protocol you want forwarded to your PC. To do this, you need to read the program documenation to find out what protocol and port(s) it uses. Bittorrent clients typically use one or more TCP (and sometimes UDP) ports in the range 6881-6999. I use Azureus, which lets you hard code a single port number to use, for example 6882. I don't know about utorrent, but hopefully it has a similar feature. If you want to forward TCP port 6882, you need to add:
Then add another line for DC++ (I can't tell from the documentation if it uses port 612, 1412 or both)


BTW, you could optimize your shorewall config a little bit.

1) I recommend you remove the line "ACCEPT loc all all" from the rules file and add the line "loc all ACCEPT" to the top of the policy file.

2) I recommend you change the "net all DROP" policy line to "net all DROP info", at least while you are trying to troubleshoot firewall rules. You'll get lots of garbage too, but you can remove the "info" later.

3) The rule "ACCEPT net all tcp 80" can be removed. All it does is open up port 80 on the firewall to the Internet, and you do that more clearly in the later rule "ACCEPT net fw tcp ssh,[b]www[/b[,https,...".

4) I recommend you change the rule "ACCEPT net fw icmp 8" to "ACCEPT all all icmp 0,3,8,11". It'll make your life easier. BTW, 0,3,8,11 mean "echo reply, destination unreachable, echo request and time exceeded".

5) The rule "ACCEPT net fw udp https" can be removed. HTTPS doesn't use UDP at all.

6) The rule "DNAT fw loc:192.168.2.196 tcp 7000" is meaningless. The firewall doesn't need NAT to access inside machines.


Good Luck!

Ok so i have tuned firewall like u said.

I use uTorrent, and I have added ports, in uTorrent u can define witch port u would like to use, like in aseurus, and i have tryed more ports, but still when i try to check port if it is open i get an error:

On the internet checker it still does not work but in u torrent it does.

whistl tnx. If we ever meet, i am buying u a beer