Please help me: Shorewall firewall can only ping out
:newbie: Hi - this is a security software problem, not a networking problem.
Ive installed shorewall 1.4.7 and followed the procedures in the quick start guide. Ive got serious problems and need some help. This is my setup: 1. dedicated Firewall machine running Mandrake (2.4.18-6mdk Kernal) with two interfaces. Interface eth0 has the ip address assigned by DHCP on boot up. Intereface eth1 has my internal self assigned ip address: 10.10.10.254. 2. I have two pcs behind the firewall on local subnet 10.10.10.1 and 10.10.10.2, with netmask 255.255.255.0 & default gateway set to 10.10.10.254. I followed the quick start guides several times and used the recommended sample two-interface set up files from the website www.shorewall.net. Basically these are supposed to have pre-configuired settings for the program to work with my set up - i copied these files to /etc/shorewall/ as instructed. My problems: Because im ignorant about firewalls it is all confusing to me and i cannot analyse the set up myself. 1. I can ping the internet from my firewall machine, but I cannot get web pages up!! I can also ping my local subnet machines from the firewall & visa versa. 2. Neither of the local machines can even directly ping the internet and of course cannot get any web pages - though they can ping the firewall. I guess that the problem could have something to do with the rules & policy file settings. I need someone to set out simple settings for this software that will work and allow me to see web pages. Although 'its all in the manual' i cannot unserstand it. I need guidance specifically on getting this program configuired right Please help me - anybody? :( |
Ok i have narrowed this problem down a bit. I now got the firewall to access the internet. The problem is now that I cannot access the internet through my two lan machines. (packet forwarding is enabled in the firewall kernal). These are the policy & rules i have:
/etc/shorewall/policy source destination policy loglevel loc net accept net all drop info all all reject info fw net accept /* it was the last entry that allowed the firewall to retrieve web pages */ Please tell me what needs to go in here to allow the lan machines to access the net? Im 99.9% sure it is not a networking problem The file for rules is : /etc/shorewall/rules Action Source Destination protocol destination port accept fw (firewall) net tcp 53 accept fw net udp 53 /* the above allows DNS connections from the firewall to internet - im told!! */ accept loc fw tcp 22 /* this is something to do with ssh */ accept loc fw icmp 8 accept net fw icmp 8 accept fw loc icmp 8 accept fw net icmp 8 _____ thats it - can you tell me if something needs to go in here to allow the local machines to access the internet? eg something allowing tcp http?? I hope this info helps you to help me. Thanks!! |
Hi folks - its me again!! It has been a long day fiddling with this problem, but i finally got through the firewall from my lan (im using a windows machine now!). I read a web forum message by the creator of the shorewall program. He said to diagnose the problem, type 'shorewall clear' & then try to connect to the web. If it does not work then the problem is nothing to do with the firewall at all!!!
So it was a network problem and i was certain it was not. I read bits of a book 'practical tcp/ip'. I could not ping from my lan using a target name, but i could do so using a ip number - the problem was connected with DNS on the lan machine. I dont know much about this anbd basically just ticked enable dns in the network adapter > properties > dns tab, filled in a few other values and rebooted. Just as i was about to go to sleep depressed by all this, hey presto - a web page was displayed!! my task now is to try to understand about firewalls and to make sure that mine is properly configuired. Thank you for reading this & i hope it helps someone who has similar problems. |
All times are GMT -5. The time now is 05:09 AM. |