hey guys ... user error ... my cable checked out ... I plugged the wire
scheme A end into my client and the wire scheme B end into my work laptop,
and was able to ping "the other host" ... remember I said I had 3 NICs ...
in my "brilliance" I figured that I'd "correctly" identified eth0, eth1, and
eth2 ... NOPE! once I plugged into the correct NIC things began to work just
fine.
thanks for your help.
Shawn
On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote:
thanks for your input David. maybe my x-over cable is the culprit. I'll
try connecting two other computers together using it and see what happens.
On 2/2/07, David Mohr <[EMAIL PROTECTED]> wrote:
>
> On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote:
> > I suspect my shorewall config is correct, I think something
> network-wise
> > might be screwy. I just can't put my figure on what it is.
>
> If you really have the setup that you described, then the only thing
> network-wise that you have is your crossover cable. Are you sure that
> you tested it and were able to transmit data over it?
> There is pretty much nothing that should prevent you from pinging if
> neither host has a firewall activated.
>
> > On 2/2/07, David Mohr <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > > did things work without shorewall? Disconnect from the internet
> > > (unplug the cable), run 'shorewall clear' and at least make sure
> that
> > > the firewall and the client can ping each other before you attempt
> any
> > > shorewall troubleshooting.
> > >
> > > ~David
> > >
> > > On 2/2/07, Shawn Singh < [EMAIL PROTECTED]> wrote:
> > > > crap... I just realized one thing ... in the section where I was
> trying
> > to
> > > > illustrate the ping from my client to my firewall, I did the
> opposite
> > > > (pinged the client from my firewall).
> > > >
> > > > so:
> > > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> > > > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > > >
> > > > is when I'm logged into my fw (remotely) trying to ping my client
> > machine.
> > > >
> > > > sorry for the confusion.
> > > >
> > > >
> > > > On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote:
> > > > > Hello List,
> > > > >
> > > > > This is my first post to the list, and as such I apologize for
> the
> > length
> > > > of it. I tried to put as much detail into this as possible.
> > > > >
> > > > > I recently installed Shorewall on a computer running Gentoo
> Linux. The
> > > > computer has 3 network cards in it, but I've only configured 2.
> Going
> > the
> > > > cheap route, I'm connecting my client directly to my firewall
> using a
> > > > crossover cable.
> > > > >
> > > > > When I try to access the Internet from my client, the operation
> times
> > out.
> > > > >
> > > > > Client is running Windows XP Home Edition.
> > > > > Card is set to Auto-negotiate the speed and duplex.
> > > > >
> > > > > Firewall is running Gentoo Linux ( 2006.1).
> > > > > The version of shorewall I have installed is: 3.0.8
> > > > > eth0 is connected to a cable modem and gets its IP information
> via
> > DHCP
> > > > from my ISP.
> > > > > eth1 reports the following information from ifconfig eth1:
> > > > >
> > > > > eth1 Link encap:Ethernet HWaddr 00:10:B5:0E:D6:E9
> > > > > inet addr: 192.168.1.1 Bcast: 192.168.1.255
> > Mask:255.255.255.0
> > > > > UP BROADCAST MULTICAST MTU:1500 Metric:1
> > > > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > > > > collisions:0 txqueuelen:1000
> > > > > RX bytes:0 ( 0.0 b) TX bytes:0 (0.0 b)
> > > > > Interrupt:10 Base address:0x6c00
> > > > >
> > > > > My routing table is as follows:
> > > > >
> > > > > Kernel IP routing table
> > > > > Destination Gateway Genmask Flags Metric Ref
> > Use
> > > > Iface
> > > > > 192.168.1.0 192.168.1.1 255.255.255.0 UG 0 0
> > 0
> > > > eth1
> > > > > 192.168.1.0 * 255.255.255.0 U 0 0
> > 0
> > > > eth1
> > > > > c-71-203-144-0. * 255.255.252.0 U 0 0
> > 0
> > > > eth0
> > > > > loopback * 255.0.0.0 U 0 0
> > 0 lo
> > > > > default c-71-203-144-1. 0.0.0.0 UG 0 0
> > 0
> > > > eth0
> > > > >
> > > > > One thing that I noticed is if I do mii-tool eth1 I get:
> > > > > eth1: no link
> > > > >
> > > > > Since I can ping eth1 from the firewall, shouldn't that mean
> there is
> > a
> > > > link?
> > > > >
> > > > > Things I've tested / tried / ensured:
> > > > >
> > > > > On the firewall side of things:
> > > > > The link light is lit on my client and firewall (eth1 and on the
> > client's
> > > > NIC)
> > > > > From the firewall I can get to the Internet (I can browse sites,
> SSH
> > to
> > > > another computer on another network, etc)
> > > > > I can ping the address of the interior interface (eth1:
> 192.168.1.1 )
> > from
> > > > the firewall. (replies are in < 1ms)
> > > > > I've toggled the SSH rule on the firewall to ensure that if I am
> not
> > > > accepting SSH from net to fw that it won't work, and that works
> fine, so
> > I
> > > > think that rule is behaving as I'd expect.
> > > > > I've blocked ping at the firewall, and that works fine, so that
> rule
> > seems
> > > > to be correct.
> > > > > I cannot ping the address of my client from the firewall (the
> clients
> > > > address is 192.168.1.2).
> > > > >
> > > > > On the client side of things:
> > > > > When I try to ping my firewall or reach the Internet I can see
> that it
> > is
> > > > sending packets.
> > > > > The send counter increases, but not the received counter (the
> received
> > > > counter stays at 0)
> > > > >
> > > > > PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes of data.
> > > > > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > > > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > > > >
> > > > > --- 192.168.1.2 ping statistics ---
> > > > > 4 packets transmitted, 0 received, +4 errors, 100% packet loss,
> time
> > > > 3009ms
> > > > > , pipe 3
> > > > >
> > > > > I don't think it's an issue with my DNS setup, as I've entered
> the IP
> > > > address of the site I wish to visit, but still can't get there.
> The
> > > > operation will take too long, and just timeout.
> > > > > I've set the IP parameters as follows on the client:
> > > > > IP address: 192.168.1.2
> > > > > Netmask: 255.255.255.0
> > > > > Default Gateway: 192.168.1.1
> > > > > Preferred DNS: 192.168.1.1
> > > > >
> > > > > No matter what traffic I send to the firewall, whether it be a
> ping or
> > my
> > > > client trying to get to the Internet, I don't see anything getting
> > logged. I
> > > > see the firewall is busy, but it's not getting anything from my
> client.
> > > > >
> > > > > just a snippet of shorewall show log:
> > > > >
> > > > > Feb 2 07:59:28 fury [32025.333661]
> Shorewall:net2all:DROP:IN=eth0
> > OUT=
> > > > SRC= 220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> TTL=107
> > > > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > > > > Feb 2 08:08:43 fury [ 32579.604207 ]
> Shorewall:net2all:DROP:IN=eth0
> > OUT=
> > > > SRC= 71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00 PREC=0x20
> TTL=114
> > > > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > > > > Feb 2 08:11:04 fury [32720.939826] Shorewall:fw2net:ACCEPT:IN=
> > OUT=eth0
> > > > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00
> TTL=64
> > > > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > > Feb 2 08:11:13 fury [ 32730.239305]
> Shorewall:net2all:DROP:IN=eth0
> > OUT=
> > > > SRC= 193.95.190.178 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> > TTL=108
> > > > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > > > > Feb 2 08:16:33 fury [ 33049.711995]
> Shorewall:net2all:DROP:IN=eth0
> > OUT=
> > > > SRC= 180.10.35.7 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> TTL=45
> > > > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > > > > Feb 2 08:23:49 fury [33486.225830] Shorewall:fw2net:ACCEPT:IN=
> > OUT=eth0
> > > > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00 PREC=0x00
> TTL=64
> > ID=0
> > > > DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > >
> > > > > I set my rules, policy, masq, interfaces, etc according to the
> basic
> > > > two-interface firewall howto, and used an FAQ to configure my
> firewall
> > as
> > > > follows:
> > > > >
> > > > > /etc/shorewall/params:
> > > > > ETH0_IP=`find_first_interface_address eth0`
> > > > >
> > > > > /etc/shorewall/rules:
> > > > > #
> > > > > # Local Rules
> > > > > SSH/ACCEPT loc $FW
> > > > > Ping/ACCEPT loc $FW
> > > > >
> > > > > # DNS
> > > > > DNS/ACCEPT loc $FW
> > > > >
> > > > > # DHCP SERVER
> > > > > ACCEPT loc net UDP 67
> > > > > ACCEPT loc net TCP 67
> > > > >
> > > > > # DHCP CLIENT
> > > > > ACCEPT loc net UDP 68
> > > > > ACCEPT loc net TCP 68
> > > > > #
> > > > > # Remote Rules
> > > > > #
> > > > > SSH/ACCEPT net $FW
> > > > > Ping/ACCEPT $FW loc
> > > > >
> > > > > # DNAT
> > > > > DNAT loc loc: 192.168.1.1 tcp www
> - $ETH0_IP
> > > > >
> > > > > /etc/shorewall/policy:
> > > > > loc net ACCEPT info
> > > > > $FW net ACCEPT info
> > > > > $FW loc ACCEPT info
> > > > > net all DROP info
> > > > > all all REJECT info
> > > > >
> > > > > /etc/shorewall/interfaces:
> > > > > net eth0 detect dhcp
> > > > > loc eth1 192.168.1.255 routeback
> > > > >
> > > > >
> > > > > /etc/shorewall/masq:
> > > > > eth1: 192.168.1.1 eth1 192.168.1.1 tcp
> www
> > > > >
> > > > > I was getting an error when I initially setup shorewall telling
> me
> > that
> > > > the route had not been defined for my internal interface at the
> point
> > where
> > > > the firewall was trying to start, so I placed the following entry
> into
> > > > > /etc/shorewall/init
> > > > > route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1eth1
> > > > >
> > > > > However, I've been through many evolutions since then; so this
> may no
> > > > longer be needed.
> > > > >
> > > > >
> > > > >
> > > > > "Doing linear scans over an associative array is like trying to
> club
> > > > someone to death with a loaded Uzi."
> > > > > ---Larry Wall
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > "Doing linear scans over an associative array is like trying to
> club
> > someone
> > > > to death with a loaded Uzi."
> > > > Larry Wall
> > > >
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,
> security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
--
"Doing linear scans over an associative array is like trying to club
someone to death with a loaded Uzi."
Larry Wall
--
"Doing linear scans over an associative array is like trying to club someone
to death with a loaded Uzi."
Larry Wall
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
