Tom Eastep wrote: > Fernando Galvan wrote: >> I'm trying to set-up the firewall so that most of the users on my network >> can only access the net through a proxy and most ports are closed. But I >> need certain machines to be able to access all ports both inbound and >> outbound. I've tried all sorts of rules but they haven't worked. >> Mainly steam, messenger live, amsn and windowsupdate won't connect. > > A) You haven't correctly configured LOGFILE in shorewall.conf so the dump you > attached shows no rejected traffic. Are you looking at your log? It should be > telling you what is being blocked (if, in fact Shorewall is blocking the > connections that aren't working). Your log together with Shorewall FAQ 17 > should > allow you to solve most connection problems of this kind. > > It appears that you are running a late SuSE distribution so the iptables log > should be /var/log/firewall. > > B) You haven't told us what non-working connection(s) you tried during the 9 > minutes covered by this dump (source IP, destination IP, protocol, destination > port). Without that information, we have no idea where in the dump to look for > the problem (especially with no log messages). From your report, it isn't even > clear whether the unworking connections are from the users that have > unrestricted access or from those who do not. > > C) You have a long list of ACCEPT rules for loc->fw even though you have a > loc->fw ACCEPT policy -- why? > > D) I've never seen a DMZ with dmz->all and all->dmz ACCEPT policies (again, > you > have a long list of ACCEPT rules involving the DMZ). >
F) You also appear to have a wide range of net->loc ACCEPT rules even though your local network is masqueraded -- that will never work! See Shorewall FAQ 30. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users