The naming of eth0, eth1, eth2 doesn't always happen in the same order in linux - if you remove or add another network card the naming might change unexpectedly.
I suggest that you setup nameif with desired mactab entries for your firewall box. Prasanna. On 2/3/07, Shawn Singh <[EMAIL PROTECTED]> wrote: > hey guys ... user error ... my cable checked out ... I plugged the wire > scheme A end into my client and the wire scheme B end into my work laptop, > and was able to ping "the other host" ... remember I said I had 3 NICs ... > in my "brilliance" I figured that I'd "correctly" identified eth0, eth1, and > eth2 ... NOPE! once I plugged into the correct NIC things began to work just > fine. > > thanks for your help. > > Shawn > > > On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote: > > thanks for your input David. maybe my x-over cable is the culprit. I'll > try connecting two other computers together using it and see what happens. > > > > > > > > On 2/2/07, David Mohr <[EMAIL PROTECTED]> wrote: > > > On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote: > > > > I suspect my shorewall config is correct, I think something > network-wise > > > > might be screwy. I just can't put my figure on what it is. > > > > > > If you really have the setup that you described, then the only thing > > > network-wise that you have is your crossover cable. Are you sure that > > > you tested it and were able to transmit data over it? > > > There is pretty much nothing that should prevent you from pinging if > > > neither host has a firewall activated. > > > > > > > On 2/2/07, David Mohr <[EMAIL PROTECTED]> wrote: > > > > > Hi, > > > > > did things work without shorewall? Disconnect from the internet > > > > > (unplug the cable), run 'shorewall clear' and at least make sure > that > > > > > the firewall and the client can ping each other before you attempt > any > > > > > shorewall troubleshooting. > > > > > > > > > > ~David > > > > > > > > > > On 2/2/07, Shawn Singh < [EMAIL PROTECTED]> wrote: > > > > > > crap... I just realized one thing ... in the section where I was > trying > > > > to > > > > > > illustrate the ping from my client to my firewall, I did the > opposite > > > > > > (pinged the client from my firewall). > > > > > > > > > > > > so: > > > > > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. > > > > > > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable > > > > > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable > > > > > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable > > > > > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable > > > > > > > > > > > > is when I'm logged into my fw (remotely) trying to ping my client > > > > machine. > > > > > > > > > > > > sorry for the confusion. > > > > > > > > > > > > > > > > > > On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote: > > > > > > > Hello List, > > > > > > > > > > > > > > This is my first post to the list, and as such I apologize for > the > > > > length > > > > > > of it. I tried to put as much detail into this as possible. > > > > > > > > > > > > > > I recently installed Shorewall on a computer running Gentoo > Linux. The > > > > > > computer has 3 network cards in it, but I've only configured 2. > Going > > > > the > > > > > > cheap route, I'm connecting my client directly to my firewall > using a > > > > > > crossover cable. > > > > > > > > > > > > > > When I try to access the Internet from my client, the operation > times > > > > out. > > > > > > > > > > > > > > Client is running Windows XP Home Edition. > > > > > > > Card is set to Auto-negotiate the speed and duplex. > > > > > > > > > > > > > > Firewall is running Gentoo Linux ( 2006.1). > > > > > > > The version of shorewall I have installed is: 3.0.8 > > > > > > > eth0 is connected to a cable modem and gets its IP information > via > > > > DHCP > > > > > > from my ISP. > > > > > > > eth1 reports the following information from ifconfig eth1: > > > > > > > > > > > > > > eth1 Link encap:Ethernet HWaddr 00:10:B5:0E:D6:E9 > > > > > > > inet addr: 192.168.1.1 Bcast: 192.168.1.255 > > > > Mask:255.255.255.0 > > > > > > > UP BROADCAST MULTICAST MTU:1500 Metric:1 > > > > > > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > > > > > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > > > > > > > collisions:0 txqueuelen:1000 > > > > > > > RX bytes:0 ( 0.0 b) TX bytes:0 (0.0 b) > > > > > > > Interrupt:10 Base address:0x6c00 > > > > > > > > > > > > > > My routing table is as follows: > > > > > > > > > > > > > > Kernel IP routing table > > > > > > > Destination Gateway Genmask Flags Metric Ref > > > > Use > > > > > > Iface > > > > > > > 192.168.1.0 192.168.1.1 255.255.255.0 UG 0 0 > > > > 0 > > > > > > eth1 > > > > > > > 192.168.1.0 * 255.255.255.0 U 0 0 > > > > 0 > > > > > > eth1 > > > > > > > c-71-203-144-0. * 255.255.252.0 U 0 0 > > > > 0 > > > > > > eth0 > > > > > > > loopback * 255.0.0.0 U 0 0 > > > > 0 lo > > > > > > > default c-71-203-144-1. 0.0.0.0 UG 0 0 > > > > 0 > > > > > > eth0 > > > > > > > > > > > > > > One thing that I noticed is if I do mii-tool eth1 I get: > > > > > > > eth1: no link > > > > > > > > > > > > > > Since I can ping eth1 from the firewall, shouldn't that mean > there is > > > > a > > > > > > link? > > > > > > > > > > > > > > Things I've tested / tried / ensured: > > > > > > > > > > > > > > On the firewall side of things: > > > > > > > The link light is lit on my client and firewall (eth1 and on the > > > > client's > > > > > > NIC) > > > > > > > From the firewall I can get to the Internet (I can browse sites, > SSH > > > > to > > > > > > another computer on another network, etc) > > > > > > > I can ping the address of the interior interface (eth1: > 192.168.1.1 ) > > > > from > > > > > > the firewall. (replies are in < 1ms) > > > > > > > I've toggled the SSH rule on the firewall to ensure that if I am > not > > > > > > accepting SSH from net to fw that it won't work, and that works > fine, so > > > > I > > > > > > think that rule is behaving as I'd expect. > > > > > > > I've blocked ping at the firewall, and that works fine, so that > rule > > > > seems > > > > > > to be correct. > > > > > > > I cannot ping the address of my client from the firewall (the > clients > > > > > > address is 192.168.1.2). > > > > > > > > > > > > > > On the client side of things: > > > > > > > When I try to ping my firewall or reach the Internet I can see > that it > > > > is > > > > > > sending packets. > > > > > > > The send counter increases, but not the received counter (the > received > > > > > > counter stays at 0) > > > > > > > > > > > > > > PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes of data. > > > > > > > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable > > > > > > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable > > > > > > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable > > > > > > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable > > > > > > > > > > > > > > --- 192.168.1.2 ping statistics --- > > > > > > > 4 packets transmitted, 0 received, +4 errors, 100% packet loss, > time > > > > > > 3009ms > > > > > > > , pipe 3 > > > > > > > > > > > > > > I don't think it's an issue with my DNS setup, as I've entered > the IP > > > > > > address of the site I wish to visit, but still can't get there. > The > > > > > > operation will take too long, and just timeout. > > > > > > > I've set the IP parameters as follows on the client: > > > > > > > IP address: 192.168.1.2 > > > > > > > Netmask: 255.255.255.0 > > > > > > > Default Gateway: 192.168.1.1 > > > > > > > Preferred DNS: 192.168.1.1 > > > > > > > > > > > > > > No matter what traffic I send to the firewall, whether it be a > ping or > > > > my > > > > > > client trying to get to the Internet, I don't see anything getting > > > > logged. I > > > > > > see the firewall is busy, but it's not getting anything from my > client. > > > > > > > > > > > > > > just a snippet of shorewall show log: > > > > > > > > > > > > > > Feb 2 07:59:28 fury [32025.333661] > Shorewall:net2all:DROP:IN=eth0 > > > > OUT= > > > > > > SRC= 220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 > TTL=107 > > > > > > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384 > > > > > > > Feb 2 08:08:43 fury [ 32579.604207 ] > Shorewall:net2all:DROP:IN=eth0 > > > > OUT= > > > > > > SRC= 71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00 PREC=0x20 > TTL=114 > > > > > > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501 > > > > > > > Feb 2 08:11:04 fury [32720.939826] Shorewall:fw2net:ACCEPT:IN= > > > > OUT=eth0 > > > > > > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 > TTL=64 > > > > > > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50 > > > > > > > Feb 2 08:11:13 fury [ 32730.239305] > Shorewall:net2all:DROP:IN=eth0 > > > > OUT= > > > > > > SRC= 193.95.190.178 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 > > > > TTL=108 > > > > > > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384 > > > > > > > Feb 2 08:16:33 fury [ 33049.711995] > Shorewall:net2all:DROP:IN=eth0 > > > > OUT= > > > > > > SRC= 180.10.35.7 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 > TTL=45 > > > > > > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384 > > > > > > > Feb 2 08:23:49 fury [33486.225830] Shorewall:fw2net:ACCEPT:IN= > > > > OUT=eth0 > > > > > > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 > TTL=64 > > > > ID=0 > > > > > > DF PROTO=UDP SPT=32769 DPT=53 LEN=50 > > > > > > > > > > > > > > I set my rules, policy, masq, interfaces, etc according to the > basic > > > > > > two-interface firewall howto, and used an FAQ to configure my > firewall > > > > as > > > > > > follows: > > > > > > > > > > > > > > /etc/shorewall/params: > > > > > > > ETH0_IP=`find_first_interface_address eth0` > > > > > > > > > > > > > > /etc/shorewall/rules: > > > > > > > # > > > > > > > # Local Rules > > > > > > > SSH/ACCEPT loc $FW > > > > > > > Ping/ACCEPT loc $FW > > > > > > > > > > > > > > # DNS > > > > > > > DNS/ACCEPT loc $FW > > > > > > > > > > > > > > # DHCP SERVER > > > > > > > ACCEPT loc net UDP 67 > > > > > > > ACCEPT loc net TCP 67 > > > > > > > > > > > > > > # DHCP CLIENT > > > > > > > ACCEPT loc net UDP 68 > > > > > > > ACCEPT loc net TCP 68 > > > > > > > # > > > > > > > # Remote Rules > > > > > > > # > > > > > > > SSH/ACCEPT net $FW > > > > > > > Ping/ACCEPT $FW loc > > > > > > > > > > > > > > # DNAT > > > > > > > DNAT loc loc: 192.168.1.1 tcp www - > $ETH0_IP > > > > > > > > > > > > > > /etc/shorewall/policy: > > > > > > > loc net ACCEPT info > > > > > > > $FW net ACCEPT info > > > > > > > $FW loc ACCEPT info > > > > > > > net all DROP info > > > > > > > all all REJECT info > > > > > > > > > > > > > > /etc/shorewall/interfaces: > > > > > > > net eth0 detect dhcp > > > > > > > loc eth1 192.168.1.255 routeback > > > > > > > > > > > > > > > > > > > > > /etc/shorewall/masq: > > > > > > > eth1: 192.168.1.1 eth1 192.168.1.1 tcp > www > > > > > > > > > > > > > > I was getting an error when I initially setup shorewall telling > me > > > > that > > > > > > the route had not been defined for my internal interface at the > point > > > > where > > > > > > the firewall was trying to start, so I placed the following entry > into > > > > > > > /etc/shorewall/init > > > > > > > route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 > eth1 > > > > > > > > > > > > > > However, I've been through many evolutions since then; so this > may no > > > > > > longer be needed. > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Doing linear scans over an associative array is like trying to > club > > > > > > someone to death with a loaded Uzi." > > > > > > > ---Larry Wall > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > "Doing linear scans over an associative array is like trying to > club > > > > someone > > > > > > to death with a loaded Uzi." > > > > > > Larry Wall > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > Using Tomcat but need to do more? Need to support web services, > security? > > > Get stuff done quickly with pre-integrated technology to make your job > easier. > > > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > _______________________________________________ > > > Shorewall-users mailing list > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > > > > > -- > > > > "Doing linear scans over an associative array is like trying to club > someone to death with a loaded Uzi." > > Larry Wall > > > > -- > > "Doing linear scans over an associative array is like trying to club someone > to death with a loaded Uzi." > Larry Wall > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
