just off the top of my head, by looking at your packet traces...it looks like shorewall is having problems negotiating the two ips on your nics. Why not implement NAT on your firewall and make things easier, and much more secure. I'm not familiar with shorewall, I only use iptables. here is what I have done in iptables to allow for what you are trying to do...may be this will help.
(in a nutshell)
$IPT -A OUTPUT -o $PRIVIF -j ACCEPT
$IPT -A INPUT -i $PRIVIF -j ACCEPT
#this allows all traffic between the firewall and the secured network...either you trust your firewall or you don't...:-)
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
#this allows only a system on my secured network outside access. and only allows return traffic if it is an established and related connection.
$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE
#this takes care of my nat.
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 22 -j DNAT --to $WSIP:22
$IPT -A FORWARD -i $PUBIF -p tcp -d $WSIP --dport 22 -j ACCEPT
#This is forwarding port 22 for ssh access...(which I only allow rsa public key authentication...yes, i know, im paronoid :-) This line can be replicated for any other ports that need to be forwarded.
There are many other tricks for acomplishing what you are wanting to do. If I were you, I would look at my topology. Having your securded network accessible with public ip's kinda takes the security of a firewall out of it. I would use nat and hide your secure network from the rest of the world, and get your firewall into stealth mode. For instance, don't tell it to reject, just have it drop. If it rejects it is responding...that is what you don't want it to do.
My topology is this:
ISP to a cable modem directly connected to a RH9 firewall with IPtables. My firewall has 3 nics, one to the cbl modem, one to my secured network, and one to my DMZ network where I host web, ftp, mail, etc. I only allow outside initiated connections to my DMZ on the specific ports I am hosting. The DMZ server is not allowed to initiate any connections on its own (in the event someone did take the DMZ). My secured network is only allowed to initiate connections, which means no outside initiated connections are allowed to my secured network what-so-ever. More than all this, my firewall dosn't run ANY services exept IPTABLES, yes this inclueds ssh (why take the chance?). And my firewall will not respond to a single request, it either forwards or drops...it dosn't exist as far as the real world is concerned. I mean if your firewall gets comprimised, the whole show is over anyways.
Here is a pretty thourogh (although rough) script that may help point you int he right direction:
#!/bin/bash
#
IPT=/sbin/iptables
PRIVIF="eth1"
PUBIF="eth0"
PRIVIP="192.168.100.254/32"
PUBIP=""
PRIVNET="192.168.100.0/22"
PUBLICNET=""
WSIP="192.168.100.10/32"
LG_OPTIONS="-m limit --limit 5/minute --log-level 3 --log-prefix "
LG_OPTIONS_MORE="-m limit --limit 20/minute --log-level 3 --log-prefix "
LG_OPTIONS_LESS="-m limit --limit 1/minute --log-level 3 --log-prefix "
PLACE_WE_HATE="www.aol.com"
# Load modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#Clean Start
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F
#Define Policy
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
## NAT Postrouting SNAT
##Implemented in Forwarding section
##$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE
##$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j SNAT --to-source $PUBIP
# Allow loopback
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
# Connections between firewall and internal network
$IPT -A OUTPUT -o $PRIVIF -j ACCEPT
$IPT -A INPUT -i $PRIVIF -j ACCEPT
# No Cross-Forwarding
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j LOG $LG_OPTIONS "IPTABLES-X-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j DROP
# No Spoofed souce addresses
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j DROP
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j DROP
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j DROP
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j DROP
# Port Scans
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG $LG_OPTIONS_MORE "IPTABLES-PORT-SCAN: "
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
# NMAP FIN/URG/PSH
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG $LG_OPTIONS_MORE "IPTABLES-NMAP-FIN-URG-PSH: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
#SYN/RST
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG $LG_OPTIONS_MORE "IPTABLES-SYN-RST: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#SYN/FIN
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG $LG_OPTIONS_MORE "IPTABLES-SYN-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j LOG $LG_OPTIONS_MORE "IPTABLES-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN -j DROP
echo Input
########################################
###########INPUT########################
########################################
#Accept DHCP lease
$IPT -A INPUT -i $PUBIF -p udp --source-port 67 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $PUBIF -p udp --source-port 68 --dport 67 -j ACCEPT
#Silently Drop broadcast and multicast traffic
$IPT -A INPUT -i $PUBIF -d 255.255.255.255 -j DROP
$IPT -A INPUT -i $PUBIF -d 224.0.0.0/4 -j DROP
# Reject IDENTD 113 from xcaliber
#$IPT -A INPUT -i $PUBIF -p tcp --source 64.161.52.90 --destination-port 113 -j REJECT
#Drop all invalid incoming packets
$IPT -A INPUT -m unclean -j LOG $LG_OPTIONS "IPTABLES-UNCLEAN: "
$IPT -A INPUT -m state --state INVALID -j LOG $LG_OPTIONS "IPTABLES-INVALID-INPUT: "
$IPT -A INPUT -m unclean -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP
#Drop all packets not addressed to the firewall itself
#Not logging as this is verbose
##$IPT -A INPUT -i $PUBIF -d ! $PUBIP -j LOG $LG_OPTIONS "IPTABLES-NAddr-PUBIF: "
##$IPT -A INPUT -i $PRIVIF -d ! $PRIVIP -j LOG $LG_OPTIONS "IPTABLES-NAddr-PRIV: "
# Not using because we do not know the firewall's public address
#$IPT -A INPUT -i $PUBIF -d ! $PUBIP -j DROP
#$IPT -A INPUT -i $PRIVIF -d ! $PRIVIP -j DROP
#NTP Time
#$IPT -A OUTPUT -o $PUBIF -p udp --dport 123 -j ACCEPT
#$IPT -A INPUT -i $PUBIF -p udp --sport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
#DNS
#$IPT -A OUTPUT -o $PUBIF -p udp --dport 53 -j ACCEPT
#$IPT -A INPUT -i $PUBIF -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
#Echo rquest outgoing ping
$IPT -A OUTPUT -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
#Echo Reply
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT
#Destination Unreachable
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT
#Outgoing Traceroute #****###****#
$IPT -A OUTPUT -o $PUBIF -p udp -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept pings at the rate of one per second
# I will choose stealth and turn this off
#$IPT -A INPUT -i $PUBIF -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
#$IPT -A OUTPUT -o $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT
# Specific Nasty Ports
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j LOG $LG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j LOG $LG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j DROP #MS Networking
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j DROP
$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j LOG $LG_OPTIONS "IPTALBES-NFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j LOG $LG_OPTIONS "IPTALBES-NFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j DROP # NFS
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j DROP
$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j LOG $LG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j LOG $LG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j DROP # Xwindows
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j DROP
$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j LOG $LG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j LOG $LG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j DROP # X Font Server
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j DROP
$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j LOG $LG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j LOG $LG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j DROP # Back Orifice
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j DROP
$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j LOG $LG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j LOG $LG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j DROP # NetBus
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j DROP
$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j LOG $LG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j LOG $LG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j DROP # SubSeven
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j DROP
# Web
$IPT -A INPUT -p tcp -i $PUBIF --dport 80 -j LOG $LG_OPTIONS_LESS "IPTABLES-WEBCRAWLER: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 80 -j DROP #
#INCOMING
# Do not allow any other connections on the external interface, including traceroute
$IPT -A INPUT -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-CONN-TO-FIREWALL: "
$IPT -A INPUT -i $PUBIF -j DROP
# Do not allow any other connections OUT from the firewall
$IPT -A OUTPUT -o $PUBIF -j DROP
echo Forwarding
#########################################################
############ Forwarding #################################
#########################################################
#Drop all invalid incoming packets
$IPT -A FORWARD -m unclean -j LOG $LG_OPTIONS "IPTABLES-UNCLEAN-FORWARD: "
$IPT -A FORWARD -m unclean -j DROP
#log
$IPT -A FORWARD -m state --state INVALID -j LOG $LG_OPTIONS "IPTABLES-INVALID-FORWARD: "
$IPT -A FORWARD -m state --state INVALID -j DROP
#Block outgoing connections to places we hate
#$IPT -A FORWARD -i $PRIVIF -d $PLACE_WE_HATE -j DROP
#BLOCK outgoing connections by port (last resort defense agains DoS)
$IPT -A FORWARD -i $PRIVIF -p tcp --dport 135:139 -j DROP
$IPT -A FORWARD -i $PRIVIF -p udp --dport 135:139 -j DROP
#Allow otherwise unrestricted outgoing connections
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
# NAT Postrouting SNAT
$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE
#$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j SNAT --to-source $PUBIP
# NAT Prerouting DNAT #########PORT FORWARDING##############
# is it --to-destination ???
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 22 -j DNAT --to $WSIP:22
$IPT -A FORWARD -i $PUBIF -p tcp -d $WSIP --dport 22 -j ACCEPT
# Trusted Networks
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -s $TRUSTEDIP -d $WSIP -j ACCEPT
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p tcp -s $TRUSTEDIP -d $WSIP --dport 20:21 -j ACCEPT
# Banned Networks
#$IPT -A FORWARD -i $PUBIF -s $BANNEDIP -j DROP
#$IPT -A FORWARD -i $PUBIF -p icmp -s $BANNEDIP -j DROP
#See no Evil; Forward no Evil ## Could this break MS ???
# Pikus destination was public range 1.2.3.0/24 -d 1.2.3.0/24--dport 135:139 -j DROP
# This could break things
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP # NFS
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP # Xwindows
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP # X Font Server
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j DROP # Back Orifice
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j DROP
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP # NetBus
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP
#INCOMING
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p tcp -d 1.2.3.5 --dport
#ETC
#Set ssh, DNS, and FTP for minimum delay
$IPT -t mangle -A PREROUTING -i $PRIVIF -p udp --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
#Set ftp-data and web traffic for maximum throughput
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
# Deny ICMP Redirects
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j LOG $LG_OPTIONS "IPTABLES-ICMP-REDIRECT: "
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j DROP
#Echo rquest outgoing ping
$IPT -A FORWARD -o $PUBIF -i $PRIVIF -p icmp --icmp-type echo-request -j ACCEPT
#Echo Reply
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT
#Destination Unreachable
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type destination-unreachable -j ACCEPT
#Outgoing Traceroute #****###****#
#$IPT -A FORWARD -o $PUBIF -i $PRIVIF -p udp -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept pings at the rate of one per second
# I will choose stealth and turn this off
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
#$IPT -A FORWARD -o $PRIVIF -i $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT
#Guestbook Log all TCP SYN connections
#$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p tcp --tcp-flags SYN,ACK SYN -j LOG $LG_OPTIONS "IPTABLES-SYN-CONN: "
# Do not allow any other connections on the external interface, including traceroute
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j LOG $LG_OPTIONS "IPTABLES-CONN-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j DROP
# Complete
You can also check out
#
http://eressea.pikus.net/~pikus/plug...all/page0.html
for more help.
Hope this helps...
--dubman