--- Tom Eastep <[EMAIL PROTECTED]> wrote: > java guru wrote: > > Hi - > > I am trying out two interface example. I defined > loc > > (for eth0) and ppp0 (outgoing dialup modem) and > rest > > of the setup per the document. > > > > But my ssh connection to fw box gets dropped as > soon > > as I start shorewall. Below is what I see from the > > log. See how the SRC is not loc network > (192.168.1.*), > > thats 'coz I am reaching fw box eth0 via a cable > > modem. > > > > I am new to shorewall, so tell me if there is a > > separate forum where i can get appropriate help. > > > > ------------- > > kernel: [63010.560985] > Shorewall:INPUT:REJECT:IN=eth0 > > OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 > > DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 > TTL=106 > > ID=63933 DF PROTO=TCP SPT=3556 DPT=22 WINDOW=16384 > > RES=0x00 SYN URGP=0 > > ------------------------- > > Please check the instructions at > http://www.shorewall.net/two-interface.htm > again. You have set up Shorewall incorrectly because > eth0 is not associated > with any zone. > Thanks Tom. Below is the line from my interfaces config.
net ppp0 - tcpflags,norfc1918,routefilter,nosmurfs,logmartians loc eth0 detect routeback,tcpflags,detectnets,nosmurfs loc is associated with eth0 and net is associated with ppp0. > If you want SSH access to your Shorewall system from > the net, you need to > add a rule. This is also explained in the document. > The rule you need is > similar to the one in the Guide except that you need > to replace 'loc' with > 'net' to allow SSH access to the 'net' zone. I am accessing the machine where shorewall is installed via cablemodem to local lan to eth0. mysshclient -> Internet -> cablemodem (linksys router) -> local lan(192.168.1.*)->eth0->shorewall machine. ppp0 is on shorewall machine with a dialup modem. Eventually I want to have all http traffic generated on the shorewall machine to be routed out via ppp0. But thats a separate discussion. In the log, I also see other machines on local lan (192.168.1.*) communicating with fw just fine. I guess that means eth0 is indeed associated with a zone .. correct ? Here is how policy looks like --------------------- loc net ACCEPT info loc $FW ACCEPT info loc all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT info $FW loc ACCEPT info $FW all REJECT info ----------------------------- I also read another document http://www.shorewall.net/Multiple_Zones.html. Does my situation require multizone setup ? thx > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get > the chance to share your > opinions on IT & business topics through brief > surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > __________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
