Thomas Backlund wrote:
Cameron MacDonald wrote:
Thomas Backlund wrote:
Cameron MacDonald wrote:
Marek Pawinski wrote:
Cameron MacDonald wrote:
I'm having trouble setting rules for Shorewall (version 2.0.17) on
my 2005LE box. I'm trying to ssh into it from a laptop on my
local network. LE box is 192.168.1.100, laptop is 192.168.1.102.
Default gateway is set correctly in both machines (192.168.1.1).
Zones defined in /etc/shorewall/zones are: net and loc. I've tried
quite a few rules using ACCEPT and DNAT as actions, but nothing
seems to work. The only way to ssh into it is to stop Shorewall.
Can anyone shed a ray of light on this? I've gone through the
Shorewall.sourceforge site, but can't seem to find anything that
works.
I appreciate any thoughts.
Cameron
Any other info that would help, just ask.
Try add this to your shorewall rules:
ACCEPT net:192.168.1.102 net:192.168.1.100 all
ACCEPT net:192.168.1.102 $FW:192.168.1.100 all
Ugh...
That's disabling any firewalling between .102 and .100 on all NICs...
Thanks, Marek.
That works great. Now that I look at those rules, they make sense.
Cameron
The only thing you should need is:
ACCEPT loc:192.168.1.102 fw tcp 22
wich only opens up port 22 (ssh) from your laptop when connected to
your lan (shorewall always consider the host it's installed on as "fw")
--
Regards
Thomas
Thanks for your input, Thomas.
Both the PC and the laptop are mine, only used by me, and I'm the only
one here, so maybe it doesn't matter if the firewall is open between
.100 and .102??
That's a choice for you to make, as it's based on how secure you want
your system...
Is your Router also a firewall?
If so... Do you really need a firewall on an internal host...
Anyway, today when I tried it, I couldn't ssh into .100 again. Tried
with wireless (wlan0) and wired (eth0)--no joy. Stopped shorewall on
CLI, still no joy. Stopped shorewall with MCC, now I can get through.
doing a 'shorewall stop' in cli wont clear the rules...
you also need to do a 'shorewall clear'
So I changed the rules to what you suggested:
ACCEPT loc:192.168.1.102 fw tcp 22
Still no joy with shorewall running.
I've got to be overlooking something, but.....
Scratching my addled pate!!
what are 'loc' and 'net' defined as ?
If they point at the same net addresses it will surely screw with
shorewall trying to set up it's filtering.
--
Regards
Thomas
Yes, my router IS a firewall. I was trying for beaucoup security,
but I guess it's just repetitively redundant, eh? Maybe I'll just go
without Shorewall for now.
Thanks for "clearing" up the "shorewall clear" issue. (pun intended,
of course).
Just to increase my understanding:
I've got loc and net defined in /etc/shorewall/zones as:
#ZONE DISPLAY COMMENTS
net Net Internet zone
loc Loc Local networks
dmz DMZ Demilitarized zones
Is this the only place they are defined?
There is also an entry in /etc/shorewall/interfaces:
net eth0 detect
Should I have an entry for loc and wlan0, such as:
loc wlan0 detect ??
Thanks for helping out.
Cameron
--
Registered Linux User #388790 http://counter.li.org
Closing the Windows in my life
____________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
Join the Club : http://www.mandrivaclub.com
____________________________________________________
