What is the routing on your shorewall box? I don't think your is a classic two-interface setup. In the two-interface setup, the default route would be pointing out of the ppp0, and connection tracking to determine the outgoing interface (ala multi-isp setup) is not required.
However, in your case packets coming in via cable modem hit the shorewall system on loc. But when they go out, they may be going out via ppp0 (because of your default route). I think you need to fix this via a route_rule - ssh always goes out of cable modem kind of thing. Hope that helps. Prasanna. On 4/2/07, java guru <[EMAIL PROTECTED]> wrote: > > --- Tom Eastep <[EMAIL PROTECTED]> wrote: > > > java guru wrote: > > > Hi - > > > I am trying out two interface example. I defined > > loc > > > (for eth0) and ppp0 (outgoing dialup modem) and > > rest > > > of the setup per the document. > > > > > > But my ssh connection to fw box gets dropped as > > soon > > > as I start shorewall. Below is what I see from the > > > log. See how the SRC is not loc network > > (192.168.1.*), > > > thats 'coz I am reaching fw box eth0 via a cable > > > modem. > > > > > > I am new to shorewall, so tell me if there is a > > > separate forum where i can get appropriate help. > > > > > > ------------- > > > kernel: [63010.560985] > > Shorewall:INPUT:REJECT:IN=eth0 > > > OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 > > > DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 > > TTL=106 > > > ID=63933 DF PROTO=TCP SPT=3556 DPT=22 WINDOW=16384 > > > RES=0x00 SYN URGP=0 > > > ------------------------- > > > > Please check the instructions at > > http://www.shorewall.net/two-interface.htm > > again. You have set up Shorewall incorrectly because > > eth0 is not associated > > with any zone. > > > Thanks Tom. Below is the line from my interfaces > config. > > net ppp0 - > tcpflags,norfc1918,routefilter,nosmurfs,logmartians > loc eth0 detect > routeback,tcpflags,detectnets,nosmurfs > > > loc is associated with eth0 and net is associated with > ppp0. > > > If you want SSH access to your Shorewall system from > > the net, you need to > > add a rule. This is also explained in the document. > > The rule you need is > > similar to the one in the Guide except that you need > > to replace 'loc' with > > 'net' to allow SSH access to the 'net' zone. > > I am accessing the machine where shorewall is > installed via cablemodem to local lan to eth0. > > mysshclient -> Internet -> cablemodem (linksys router) > -> local lan(192.168.1.*)->eth0->shorewall machine. > > ppp0 is on shorewall machine with a dialup modem. > Eventually I want to have all http traffic generated > on the shorewall machine to be routed out via ppp0. > But thats a separate discussion. > > In the log, I also see other machines on local lan > (192.168.1.*) communicating with fw just fine. I guess > that means eth0 is indeed associated with a zone .. > correct ? > > Here is how policy looks like > --------------------- > loc net ACCEPT info > loc $FW ACCEPT info > loc all REJECT info > > # > # Policies for traffic originating from the firewall > ($FW) > # > # If you want open access to the Internet from your > firewall, change the > # $FW to net policy to ACCEPT and remove the 'info' > LOG LEVEL. > # This may be useful if you run a proxy server on the > firewall. > $FW net ACCEPT info > $FW loc ACCEPT info > $FW all REJECT info > ----------------------------- > > I also read another document > http://www.shorewall.net/Multiple_Zones.html. Does my > situation require multizone setup ? > > > thx > > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a > > sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ [EMAIL PROTECTED] > > PGP Public Key \ > > https://lists.shorewall.net/teastep.pgp.key > > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get > > the chance to share your > > opinions on IT & business topics through brief > > surveys-and earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > > Shorewall-users mailing list > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > __________________________________________________________ > Yahoo! India Answers: Share what you know. Learn something new > http://in.answers.yahoo.com/ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
