Please help me: Shorewall firewall can only ping out
 

:newbie: Hi - this is a security software problem, not a networking problem.

Ive installed shorewall 1.4.7 and followed the procedures in the quick start guide. Ive got serious problems and need some help. This is my setup:

1. dedicated Firewall machine running Mandrake (2.4.18-6mdk Kernal) with two interfaces. Interface eth0 has the ip address assigned by DHCP on boot up. Intereface eth1 has my internal self assigned ip address: 10.10.10.254.

2. I have two pcs behind the firewall on local subnet 10.10.10.1 and 10.10.10.2, with netmask 255.255.255.0 & default gateway set to 10.10.10.254.

I followed the quick start guides several times and used the recommended sample two-interface set up files from the website www.shorewall.net. Basically these are supposed to have pre-configuired settings for the program to work with my set up - i copied these files to /etc/shorewall/ as instructed.

My problems:
Because im ignorant about firewalls it is all confusing to me and i cannot analyse the set up myself.

1. I can ping the internet from my firewall machine, but I cannot get web pages up!!
I can also ping my local subnet machines from the firewall & visa versa.

2. Neither of the local machines can even directly ping the internet and of course cannot get any web pages - though they can ping the firewall.

I guess that the problem could have something to do with the rules & policy file settings. I need someone to set out simple settings for this software that will work and allow me to see web pages. Although 'its all in the manual' i cannot unserstand it. I need guidance specifically on getting this program configuired right

Please help me - anybody? :(

Ok i have narrowed this problem down a bit. I now got the firewall to access the internet. The problem is now that I cannot access the internet through my two lan machines. (packet forwarding is enabled in the firewall kernal). These are the policy & rules i have:

/etc/shorewall/policy

source destination policy loglevel

loc net accept

net all drop info

all all reject info

fw net accept


/* it was the last entry that allowed the firewall to retrieve web pages */

Please tell me what needs to go in here to allow the lan machines to access the net? Im 99.9% sure it is not a networking problem

The file for rules is :

/etc/shorewall/rules

Action Source Destination protocol destination port

accept fw (firewall) net tcp 53

accept fw net udp 53

/* the above allows DNS connections from the firewall to internet - im told!! */

accept loc fw tcp 22

/* this is something to do with ssh */

accept loc fw icmp 8

accept net fw icmp 8

accept fw loc icmp 8

accept fw net icmp 8


_____

thats it - can you tell me if something needs to go in here to allow the local machines to access the internet? eg something allowing tcp http??

I hope this info helps you to help me. Thanks!!

Hi folks - its me again!! It has been a long day fiddling with this problem, but i finally got through the firewall from my lan (im using a windows machine now!). I read a web forum message by the creator of the shorewall program. He said to diagnose the problem, type 'shorewall clear' & then try to connect to the web. If it does not work then the problem is nothing to do with the firewall at all!!!

So it was a network problem and i was certain it was not. I read bits of a book 'practical tcp/ip'. I could not ping from my lan using a target name, but i could do so using a ip number - the problem was connected with DNS on the lan machine. I dont know much about this anbd basically just ticked enable dns in the network adapter > properties > dns tab, filled in a few other values and rebooted. Just as i was about to go to sleep depressed by all this, hey presto - a web page was displayed!!

my task now is to try to understand about firewalls and to make sure that mine is properly configuired.

Thank you for reading this & i hope it helps someone who has similar problems.