[expert] shore wall
Every time I start shore wall squid and everything is denied can anyone help me setting these up. I think Jack said to manually do this yesterday I get the same problem. Add a new firewall rule Action Source Destination Protocol Source ports Destination ports Move ACCEPT Zone net Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone net Zone fw UDP Any 53,137,138,139,631 ACCEPT Zone loc Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone loc Zone fw UDP Any 53,137,138,139,631 Add a new firewall rule James S. Lawson Network Manager Brown Raysman Millstein Felder Steiner 900 Third Avenue New York, NY 10022 Tel: (212) 895-2679 (@ @) oOO--(_)--OOo- Notice: This message, and any attached file, is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Nothing in this e-mail message should be construed as a legal opinion. If you have received this communication in error, please notify us immediately by reply e-mail and delete all copies of the original Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] shore wall
From: Lawson, Jim [EMAIL PROTECTED] Every time I start shore wall squid and everything is denied can anyone help me setting these up. I think Jack said to manually do this yesterday I get the same problem. Add a new firewall rule Action Source Destination Protocol Source ports Destination ports Move ACCEPT Zone net Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone net Zone fw UDP Any 53,137,138,139,631 ACCEPT Zone loc Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone loc Zone fw UDP Any 53,137,138,139,631 Add a new firewall rule If I undestand this correctly, you have made a nice attack point for hackers... Assuming 'net' is Internet, 'fw' is the firewall, and 'loc' is your local lan.. if so, you have your system open for attacks/missuse on dns, samba, squid, ... Here is what you need: ---cut--- #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORTPORT(S)DEST # # access from the internet only to ssh (disable this one too if you don't need it...) ACCEPT net fw tcp 22 # accsess from the lan to the services on the firewall (ssh, dns, ipp, squid) ACCEPT loc fw tcp 22, 53, 631, 3128 ACCEPT loc fw udp 53 # Let the services on the firewall get net access (dns, squid http port) ACCEPT fw net tcp 53, 80 ACCEPT fw net udp53 # Special Samba rules between the lan and the firewall ACCEPT loc fw udp 137:139,445 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024: 137 ACCEPT fw loc udp 137:139,445 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024: 137 ---cut--- now you only have to decide what to do about port 1, since I don't know what service you are using it for, or if it's a local service ( lan - fw ), so you need to put it in the right ACCEPT line this is all you need as the conntrack modules keeps the returning info/packets happy, and you should have a secured firewall... If you need more info... feel free to ask... Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
This was the default except for 1000 and 3128. It doesn't work anyway that is why I am asking. 1 us webmin. I hate running to the server to manage it. What I would like is to have everything bound to eth0 and deny all but ssh to eth1. -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] Every time I start shore wall squid and everything is denied can anyone help me setting these up. I think Jack said to manually do this yesterday I get the same problem. Add a new firewall rule Action Source Destination Protocol Source ports Destination ports Move ACCEPT Zone net Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone net Zone fw UDP Any 53,137,138,139,631 ACCEPT Zone loc Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone loc Zone fw UDP Any 53,137,138,139,631 Add a new firewall rule If I undestand this correctly, you have made a nice attack point for hackers... Assuming 'net' is Internet, 'fw' is the firewall, and 'loc' is your local lan.. if so, you have your system open for attacks/missuse on dns, samba, squid, ... Here is what you need: ---cut--- #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORTPORT(S)DEST # # access from the internet only to ssh (disable this one too if you don't need it...) ACCEPT net fw tcp 22 # accsess from the lan to the services on the firewall (ssh, dns, ipp, squid) ACCEPT loc fw tcp 22, 53, 631, 3128 ACCEPT loc fw udp 53 # Let the services on the firewall get net access (dns, squid http port) ACCEPT fw net tcp 53, 80 ACCEPT fw net udp53 # Special Samba rules between the lan and the firewall ACCEPT loc fw udp 137:139,445 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024: 137 ACCEPT fw loc udp 137:139,445 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024: 137 ---cut--- now you only have to decide what to do about port 1, since I don't know what service you are using it for, or if it's a local service ( lan - fw ), so you need to put it in the right ACCEPT line this is all you need as the conntrack modules keeps the returning info/packets happy, and you should have a secured firewall... If you need more info... feel free to ask... Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] shore wall
From: Lawson, Jim [EMAIL PROTECTED] This was the default except for 1000 and 3128. It doesn't work anyway that is why I am asking. 1 us webmin. I hate running to the server to manage it. What I would like is to have everything bound to eth0 and deny all but ssh to eth1. then you should have this in /etc/shorewall/interfaces --- cut --- neteth1 detect loceth0 detect #LAST LINE -- ... --- cut --- and this in /etc/shorewall/rules ---cut--- #ACTIONSOURCEDESTPROTODESTSOURCE ORIGINAL # PORT PORT(S)DEST # ACCEPTnet fwtcp 22 # accsess from lan to the firewall (ssh, dns, ipp, squid, webmin) ACCEPT loc fw tcp 22, 53, 631,3128, 1 ACCEPT loc fw udp 53 # Let the services on the firewall get net access (dns, squid http port) ACCEPT fw net tcp 53, 80 ACCEPT fw net udp53 # Special Samba rules between the lan and the firewall ACCEPT loc fw udp 137:139,445 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024:137 ACCEPT fw loc udp 137:139,445 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024:137 ---cut--- this is all you need as the conntrack modules keeps the returning info/packets happy, and you should have a secured firewall... then restart shorewall, and let me know if it works... -- Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
I will try this and thanks for your help. It is much appreciated. -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] This was the default except for 1000 and 3128. It doesn't work anyway that is why I am asking. 1 us webmin. I hate running to the server to manage it. What I would like is to have everything bound to eth0 and deny all but ssh to eth1. then you should have this in /etc/shorewall/interfaces --- cut --- neteth1 detect loceth0 detect #LAST LINE -- ... --- cut --- and this in /etc/shorewall/rules ---cut--- #ACTIONSOURCEDESTPROTODESTSOURCE ORIGINAL # PORT PORT(S)DEST # ACCEPTnet fwtcp 22 # accsess from lan to the firewall (ssh, dns, ipp, squid, webmin) ACCEPT loc fw tcp 22, 53, 631,3128, 1 ACCEPT loc fw udp 53 # Let the services on the firewall get net access (dns, squid http port) ACCEPT fw net tcp 53, 80 ACCEPT fw net udp53 # Special Samba rules between the lan and the firewall ACCEPT loc fw udp 137:139,445 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024:137 ACCEPT fw loc udp 137:139,445 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024:137 ---cut--- this is all you need as the conntrack modules keeps the returning info/packets happy, and you should have a secured firewall... then restart shorewall, and let me know if it works... -- Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
I did what you put here and on mandrake 9.2 via the ssh and vi I copied and pasted what you had typed and after I started shore wall it disconnected webmin and ssh via the local net. -Original Message- From: Lawson, Jim [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 12:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [expert] shore wall I will try this and thanks for your help. It is much appreciated. -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] This was the default except for 1000 and 3128. It doesn't work anyway that is why I am asking. 1 us webmin. I hate running to the server to manage it. What I would like is to have everything bound to eth0 and deny all but ssh to eth1. then you should have this in /etc/shorewall/interfaces --- cut --- neteth1 detect loceth0 detect #LAST LINE -- ... --- cut --- and this in /etc/shorewall/rules ---cut--- #ACTIONSOURCEDESTPROTODESTSOURCE ORIGINAL # PORT PORT(S)DEST # ACCEPTnet fwtcp 22 # accsess from lan to the firewall (ssh, dns, ipp, squid, webmin) ACCEPT loc fw tcp 22, 53, 631,3128, 1 ACCEPT loc fw udp 53 # Let the services on the firewall get net access (dns, squid http port) ACCEPT fw net tcp 53, 80 ACCEPT fw net udp53 # Special Samba rules between the lan and the firewall ACCEPT loc fw udp 137:139,445 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024:137 ACCEPT fw loc udp 137:139,445 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024:137 ---cut--- this is all you need as the conntrack modules keeps the returning info/packets happy, and you should have a secured firewall... then restart shorewall, and let me know if it works... -- Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] shore wall
lose the word Zone -- e.g. ACCEPT net fw UDP Any 53,137,138,139,631 On Fri, 2003-11-14 at 06:34, Lawson, Jim wrote: Every time I start shore wall squid and everything is denied can anyone help me setting these up. I think Jack said to manually do this yesterday I get the same problem. Add a new firewall rule Action Source Destination Protocol Source ports Destination ports Move ACCEPT Zone net Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone net Zone fw UDP Any 53,137,138,139,631 ACCEPT Zone loc Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone loc Zone fw UDP Any 53,137,138,139,631 Add a new firewall rule James S. Lawson Network Manager Brown Raysman Millstein Felder Steiner 900 Third Avenue New York, NY 10022 Tel: (212) 895-2679 (@ @) oOO--(_)--OOo- Notice: This message, and any attached file, is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Nothing in this e-mail message should be construed as a legal opinion. If you have received this communication in error, please notify us immediately by reply e-mail and delete all copies of the original __ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Jack Coates at Monkeynoodle Dot Org: It's A Scientific Venture... You'll work harder with a gun in your back for a bowl of rice a day -- Holiday in Cambodia from Give Me Convenience Or Give Me Death by The Dead Kennedys Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] shore wall
From: Lawson, Jim [EMAIL PROTECTED] I did what you put here and on mandrake 9.2 via the ssh and vi I copied and pasted what you had typed and after I started shore wall it disconnected webmin and ssh via the local net. Question: are you sure that eth0 is your lan, and eth1 is your internet access? ( if shorewall didn't get back up, it too would lock you out) so add eth0 to /etc/shorewall/routestopped and the access will keep on working even if shorewall is misconfigured... if you just copy / pasted my settings, I hope you moved the text PORT(S)DEST to it's right place, under: ... SOURCE ORIGINAL or else it would have broken your shorewall setup... preventing shorewall to restart... -- Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
That is from the webmin page. here is the rules for /etc/shorewall/ #ACCEPT net fw tcp 22,80 - #ACCEPT net fw udp 53 - #ACCEPT loc fw tcp 53,22,631,3128, - #ACCEPT loc fw udp 53, - #ACCEPT $FW net tcp 53,80 - #ACCEPT $FW net udp 53 - #ACCEPT loc $FW udp 137,139,445 - #ACCEPT loc $FW tcp 137,,139,,445,1 - #ACCEPT loc $FW udp 1024,137- THese are the orginal ones not the ones that Thomas backlund has given me. -Original Message- From: Jack Coates [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 12:18 PM To: Mandrake Expert List Subject: Re: [expert] shore wall lose the word Zone -- e.g. ACCEPT net fw UDP Any 53,137,138,139,631 On Fri, 2003-11-14 at 06:34, Lawson, Jim wrote: Every time I start shore wall squid and everything is denied can anyone help me setting these up. I think Jack said to manually do this yesterday I get the same problem. Add a new firewall rule Action Source Destination Protocol Source ports Destination ports Move ACCEPT Zone net Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone net Zone fw UDP Any 53,137,138,139,631 ACCEPT Zone loc Zone fw TCP Any 53,22,137,138,139,631,3128,1 ACCEPT Zone loc Zone fw UDP Any 53,137,138,139,631 Add a new firewall rule James S. Lawson Network Manager Brown Raysman Millstein Felder Steiner 900 Third Avenue New York, NY 10022 Tel: (212) 895-2679 (@ @) oOO--(_)--OOo- Notice: This message, and any attached file, is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Nothing in this e-mail message should be construed as a legal opinion. If you have received this communication in error, please notify us immediately by reply e-mail and delete all copies of the original __ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Jack Coates at Monkeynoodle Dot Org: It's A Scientific Venture... You'll work harder with a gun in your back for a bowl of rice a day -- Holiday in Cambodia from Give Me Convenience Or Give Me Death by The Dead Kennedys Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
The server has 2 eth ports eth1 and eth2 eth 1 is eth0 and eth 2 is eth 1. eth1 = eth0 is inside and eth2 = eth1 is outside just checked. also I did cut and pasted yours into the rules. -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 12:21 PM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] I did what you put here and on mandrake 9.2 via the ssh and vi I copied and pasted what you had typed and after I started shore wall it disconnected webmin and ssh via the local net. Question: are you sure that eth0 is your lan, and eth1 is your internet access? ( if shorewall didn't get back up, it too would lock you out) so add eth0 to /etc/shorewall/routestopped and the access will keep on working even if shorewall is misconfigured... if you just copy / pasted my settings, I hope you moved the text PORT(S)DEST to it's right place, under: ... SOURCE ORIGINAL or else it would have broken your shorewall setup... preventing shorewall to restart... -- Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] shore wall
From: Lawson, Jim [EMAIL PROTECTED] The server has 2 eth ports eth1 and eth2 eth 1 is eth0 and eth 2 is eth 1. eth1 = eth0 is inside and eth2 = eth1 is outside just checked. also I did cut and pasted yours into the rules. so add eth0 to /etc/shorewall/routestopped and remove the line that starts with PORT(S)DEST and issue a 'shorewall start' and it should work, as it does for me... and I have been using Shorewall since before MDK started to use it... let me know if it works... -- Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
Here is what I have in my /etc/shorewall/rules the ones with the # are old ones. #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVECTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORTPORT(S)DEST #ACCEPT net fw tcp 22,80 - #ACCEPT net fw udp 53 - #ACCEPT loc fw tcp 53,22,631,3128, - #ACCEPT loc fw udp 53, - #ACCEPT $FW net tcp 53,80 - #ACCEPT $FW net udp 53 - #ACCEPT loc $FW udp 137,139,445 - #ACCEPT loc $FW tcp 137,,139,,445,1 - #ACCEPT loc $FW udp 1024,137- ACCEPT loc fw tcp 22, 53, 631,3128, 1 ACCEPT loc fw udp 53 ACCEPT fw net tcp 53, 80 ACCEPT fw net udp53 ACCEPT loc fw udp 137:139,445 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024:137 ACCEPT fw loc udp 137:139,445 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024:137 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] The server has 2 eth ports eth1 and eth2 eth 1 is eth0 and eth 2 is eth 1. eth1 = eth0 is inside and eth2 = eth1 is outside just checked. also I did cut and pasted yours into the rules. so add eth0 to /etc/shorewall/routestopped and remove the line that starts with PORT(S)DEST and issue a 'shorewall start' and it should work, as it does for me... and I have been using Shorewall since before MDK started to use it... let me know if it works... -- Regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] shore wall
From: Lawson, Jim [EMAIL PROTECTED] Here is what I have in my /etc/shorewall/rules the ones with the # are old ones. #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVECTION SOURCE remove this line that is above the rules, or they will newer get activated... as the shorewall script only reads until it finds the text '#LAST LINE...' and as it states it's the LAST LINE, so it should be found only once, and that is as the last line in the rules file (and you already have that line in place according to your mail) then issue a 'shorewall restart' and let me know how it works... -- regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
I noticed that some of the entries have : in stead of , between them. -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 12:53 PM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] Here is what I have in my /etc/shorewall/rules the ones with the # are old ones. #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVECTION SOURCE remove this line that is above the rules, or they will newer get activated... as the shorewall script only reads until it finds the text '#LAST LINE...' and as it states it's the LAST LINE, so it should be found only once, and that is as the last line in the rules file (and you already have that line in place according to your mail) then issue a 'shorewall restart' and let me know how it works... -- regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
No good still stops everything. I did not add the routestopped command since I did not understand where to put it in the routestopped file. -Original Message- From: Lawson, Jim [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 1:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [expert] shore wall I noticed that some of the entries have : in stead of , between them. -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 12:53 PM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] Here is what I have in my /etc/shorewall/rules the ones with the # are old ones. #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVECTION SOURCE remove this line that is above the rules, or they will newer get activated... as the shorewall script only reads until it finds the text '#LAST LINE...' and as it states it's the LAST LINE, so it should be found only once, and that is as the last line in the rules file (and you already have that line in place according to your mail) then issue a 'shorewall restart' and let me know how it works... -- regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] shore wall
Did this below still nothing everything stops... Can you help more Please. [EMAIL PROTECTED] shorewall]# service shorewall check Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Notice: The 'check' command is unsupported and problem reports complaining about errors that it didn't catch will not be accepted Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Verifying Configuration... Loading Modules... Determining Zones... Zones: net loc Validating interfaces file... Warning: Invalid option (routestopped) in record net eth0 detect routestopped Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Validating policy file... Policy for loc to net is ACCEPT using chain loc2net Policy for fw to net is ACCEPT using chain fw2net Policy for net to loc is DROP using chain net2all Policy for net to fw is DROP using chain net2all Policy for loc to fw is REJECT using chain all2all Policy for fw to loc is REJECT using chain all2all Validating rules file... Rule ACCEPT loc fw tcp 22,53,631,3128,1 - checked. Rule ACCEPT loc fw udp 53 - checked. Rule ACCEPT fw net tcp 53,80 - checked. Rule ACCEPT fw net udp 53 - checked. Rule ACCEPT loc fw udp 137:139,445 - checked. Rule ACCEPT loc fw tcp 137,139,445 - checked. Rule ACCEPT loc fw udp 1024: 137 - checked. Rule ACCEPT fw loc udp 137:139,445 - checked. Rule ACCEPT fw loc tcp 137,139,445 - checked. Rule ACCEPT fw loc udp 1024: 137 - checked. Configuration Validated Notice: The 'check' command is unsupported and problem reports complaining about errors that it didn't catch will not be accepted -Original Message- From: Thomas Backlund [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 12:53 PM To: [EMAIL PROTECTED] Subject: Re: [expert] shore wall From: Lawson, Jim [EMAIL PROTECTED] Here is what I have in my /etc/shorewall/rules the ones with the # are old ones. #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVECTION SOURCE remove this line that is above the rules, or they will newer get activated... as the shorewall script only reads until it finds the text '#LAST LINE...' and as it states it's the LAST LINE, so it should be found only once, and that is as the last line in the rules file (and you already have that line in place according to your mail) then issue a 'shorewall restart' and let me know how it works... -- regards Thomas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com