--On Thursday, March 06, 2003 06:15:16 PM +0100 "Thomas V. Fischer" <[EMAIL PROTECTED]> wrote:
Hey all,
I have managed to get most of my Bering set-up running but I am encountering problems with certain network access such as :
- POP sessions that hang at the end of the dowload phase - IRC connections that can not be established at all - www search (like google) that never end/complete
/etc/shorewall/hosts #ZONE HOST(S) OPTIONS loc eth0:192.168.51.0/24 dmz eth0:192.168.1.0/24
Security by obscurity!
/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,norfc1918,blacklist,routefilter
PPP never uses dhcp!
- eth0 192.168.51.255,192.168.1.255 dhcp
/etc/shorewall/masq #INTERFACE SUBNET ADDRESS ppp0 192.168.51.0/24
/etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # # If you want open access to the internet from your firewall, uncomment the # following line fw net ACCEPT net all DROP ULOG all all REJECT ULOG
/etc/shorewall/routestopped #INTERFACE HOST(S) eth0 -
/etc/shorewall/TOS # SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS all all tcp - ssh 16 all all tcp ssh - 16 all all tcp - ftp 16 all all tcp ftp - 16 all all tcp ftp-data - 8 all all tcp - ftp-data 8
/etc/shorewall/rules # ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST (default provide rules) ACCEPT loc net tcp 53 ACCEPT loc net tcp 53 # LET IN CHECKPOINT VPN... 50 51 256 259 500u 778 2746u (TCPorudp) ACCEPT net loc udp 50,51,256,259,500,778,2746 ACCEPT net loc tcp 50,51,256,259,500,778,2746 ACCEPT loc net udp 50,51,256,259,500,778,2746 ACCEPT loc net tcp 50,51,256,259,500,778,2746
Why are you defining ACCEPT rules loc->net when your loc->net policy is ACCEPT???? Those rules do nothing except slow down your firewall.
Your 'hang' problems probably are caused by not setting CLAMPMPP=Yes in shorewall.conf.
Your IRC problems are caused by the fact that IRC requires auth to work. So you must port forward tcp port 113 to your IRC client machine OR you must run a masquerade-aware identd on your firewall and you must accept tcp port 113 from net->fw.
-Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
