Hello

I have slack 11, and shorewall 3.4.

I have 3 comp. at home. Slack is a dchp server and roter, my comp. and my brother has one. I vae set up shorewall, but, on the computer of my brother the ports staied closed.


settings:

ZONES
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4

RULES
#################################################################################################### #########
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT all all icmp 0,3,8,11
ACCEPT fw net icmp
ACCEPT net fw tcp www,https,smtp,pop3,pop3s,imap2,imaps,submission,2869
ACCEPT net fw udp 1900
ACCEPT loc fw tcp 7000
ACCEPT net fw tcp 7000
ACCEPT fw net tcp 7000
ACCEPT loc all tcp ssh
ACCEPT net loc:192.168.2.194 tcp 7000:8000
DNAT net loc:192.168.2.196 tcp 7002
DNAT net loc:192.168.2.196 tcp 6881:6999
DNAT net loc:192.168.2.196 tcp 7000:8000
DNAT net loc:192.168.2.196 tcp 2869
DNAT net loc:192.168.2.196 udp 1900
DNAT net loc:192.168.2.196 tcp 7003
DNAT net loc:192.168.2.194 tcp 6881:6999
DNAT net loc:192.168.2.194 tcp 7000:8000
DNAT net loc:192.168.2.194 tcp 7001
DNAT net loc:192.168.2.194 tcp 8888
DNAT net loc:192.168.2.194 tcp 8081
DNAT net loc:192.168.2.194 udp 8081


NAT
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
xxx.xxx.75.142 eth1 192.168.2.194 yes yes
xxx.xxx.75.142 eth1 192.168.2.196 yes yes


POLICY
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
fw loc ACCEPT
net all DROP info
all all REJECT
loc net ACCEPT
loc fw ACCEPT
#LAST LINE -- DO NOT REMOVE


MASQ
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth1 eth0


On my computer (192.168.2.196) most ports work, but not all. On my brothers (192.168.2.194) none of the work.

Any sugestions, and if anybody knows is there is a never version of shorewall.

I have:

Shorewall-3.4.4 Status at skubi - Sun Jan 20 15:28:59 CET 2008

Shorewall is running
State:Started (Fri Feb 5 23:43:14 CET 1999)

Tnx

Hello Skubi.

It seems to me that you need to trim down your configuration a bit. There are rules that are not needed as the default policy allows it already. It is wise to keep the rules to a minimum, as it gets easier to deal with if you need to troubleshoot it. Also, my understanding of DNAT is to forward traffic to a specific host when called for. But in your rules section there are DNAT rules to several hosts. How can shorewall tell which is which? Perhaps something like this could work:

I`m not 100% sure but I dont think you can DNAT all those ports to more that one host. Seems to me like these ports are for filsharing, games and the like, and you need them to be accessible on the local side by any computer that might sit there. If so I`d go for a general ACCEPT rule like above. Also worth mentioning is to set a log level of "debug" on every rule that you have to begin with. Then tell shorewall.conf to write logs to its own file such as /var/log/shorewall/shorewall.log and follow it in real-time with This will give you more info to work with when troubleshooting shorewall.
Hope it works out.

Hello

I have made the changes, but it still does not work.

I will make logs, and hope to finde an answer.

Tnx anyways, and I am still open for any sugestions.

Perhaps you can try this:

Also read this for more information, it also links to some useful reading.

What applications are being used?

Ok i managed to make torrents working. Nice. I use port 7001 or 7002.

I have another question. If anybody knows. I have a webcam, and have a program for web cam. It uses port TCP 8888 and TCP 8081 and UDP 8081. Does anybody know how to add it to shorewall, beacuse under DNAT it does not work.

I tryes DNAT loc:192.168.2.194 net 8888

and the same with redirect and things like that, but i am without ideas, i alwasy get an error, and it stops firewall.

So any ideas how to addit, so i could acces it form the internet. So my friends could see me.

And For live messenger sharing, what ports to open.

TNX

The reason your firewall does not start again is that you write the rule the wrong way. Try this for the webcam:

DNAT net loc:192.168.2.194 tcp 8888

If this is not enough you could try to add similar rules for the other ports you mention, take one at a time.
If you want to allow incoming traffic on that port to reach more than one computer on the lan side you could try ACCEPT instead of DNAT.

You need to read this: http://www.shorewall.net/manpages/shorewall-rules.html

I googled your question with: "Live messenger ports" and found this:

Windows Live Messenger is an updated version of MSN Messenger and uses similar ports. As part of a forum to Microsoft's web site and other web sites (e.g. www.cyberphaze.net - not currently online) it seems that Windows Live Messenger uses:

Messenger server: port 1493, 1542, 1863, 1963, 80 TCP and 443 TCP
File Transfer/Sharing Folders: local: 1544 and 6891 - in fact 6720-65535 TCP from one source
Messenger Update: remote: 80 local: 1457
Remote Assistance If available): 3389 TCP
Audio: local: , 1556, 11771, 13803 and generally 5004-65535 UDP
Remote Desktop and whiteboard: local/remote: 389, 522, 1503, 1720, and 1731
Launching Games: 80
Video Conference: TCP 9000-9999, 5004-65535 UDP + 80
Sign-In: remote: 443 local: 1484, 2400

Note - blocking TCP port 80 will stop users accessing web sites using Internet Explorer and other browsers.