Thanks Prasanna ....my reply below. --- Prasanna Krishnamoorthy <[EMAIL PROTECTED]> wrote:
> What is the routing on your shorewall box? > > I don't think your is a classic two-interface setup. > In the > two-interface setup, the default route would be > pointing out of the > ppp0, and connection tracking to determine the > outgoing interface (ala > multi-isp setup) is not required. EXACTLY.. the default route is pointing to eth0 - the cablemodemrouter (hardware). I am not sure once I bring the shorewall up, its changing any routing to default to ppp0. Way in the email below, you see my interfaces file. Thinking that "routeback" will get the ssh responses back to eth0 (the way they came in), I added routeback to eth0. But it didnt help. > > However, in your case packets coming in via cable > modem hit the > shorewall system on loc. But when they go out, they > may be going out > via ppp0 (because of your default route). > > I think you need to fix this via a route_rule - ssh > always goes out of > cable modem kind of thing. Yep. Bottom line being ssh comes in and goes out via eth0 (that goes out to internet via a hardware router/modem). Unfortunately, I am newbie here. Any thoughts ? Thx > > Hope that helps. > Prasanna. > > On 4/2/07, java guru <[EMAIL PROTECTED]> wrote: > > > > --- Tom Eastep <[EMAIL PROTECTED]> wrote: > > > > > java guru wrote: > > > > Hi - > > > > I am trying out two interface example. I > defined > > > loc > > > > (for eth0) and ppp0 (outgoing dialup modem) > and > > > rest > > > > of the setup per the document. > > > > > > > > But my ssh connection to fw box gets dropped > as > > > soon > > > > as I start shorewall. Below is what I see from > the > > > > log. See how the SRC is not loc network > > > (192.168.1.*), > > > > thats 'coz I am reaching fw box eth0 via a > cable > > > > modem. > > > > > > > > I am new to shorewall, so tell me if there > is a > > > > separate forum where i can get appropriate > help. > > > > > > > > ------------- > > > > kernel: [63010.560985] > > > Shorewall:INPUT:REJECT:IN=eth0 > > > > OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 > > > > DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 > > > TTL=106 > > > > ID=63933 DF PROTO=TCP SPT=3556 DPT=22 > WINDOW=16384 > > > > RES=0x00 SYN URGP=0 > > > > ------------------------- > > > > > > Please check the instructions at > > > http://www.shorewall.net/two-interface.htm > > > again. You have set up Shorewall incorrectly > because > > > eth0 is not associated > > > with any zone. > > > > > Thanks Tom. Below is the line from my interfaces > > config. > > > > net ppp0 - > > > tcpflags,norfc1918,routefilter,nosmurfs,logmartians > > loc eth0 detect > > routeback,tcpflags,detectnets,nosmurfs > > > > > > loc is associated with eth0 and net is associated > with > > ppp0. > > > > > If you want SSH access to your Shorewall system > from > > > the net, you need to > > > add a rule. This is also explained in the > document. > > > The rule you need is > > > similar to the one in the Guide except that you > need > > > to replace 'loc' with > > > 'net' to allow SSH access to the 'net' zone. > > > > I am accessing the machine where shorewall is > > installed via cablemodem to local lan to eth0. > > > > mysshclient -> Internet -> cablemodem (linksys > router) > > -> local lan(192.168.1.*)->eth0->shorewall > machine. > > > > ppp0 is on shorewall machine with a dialup modem. > > Eventually I want to have all http traffic > generated > > on the shorewall machine to be routed out via > ppp0. > > But thats a separate discussion. > > > > In the log, I also see other machines on local lan > > (192.168.1.*) communicating with fw just fine. I > guess > > that means eth0 is indeed associated with a zone > .. > > correct ? > > > > Here is how policy looks like > > --------------------- > > loc net ACCEPT > info > > loc $FW ACCEPT > info > > loc all REJECT > info > > > > # > > # Policies for traffic originating from the > firewall > > ($FW) > > # > > # If you want open access to the Internet from > your > > firewall, change the > > # $FW to net policy to ACCEPT and remove the > 'info' > > LOG LEVEL. > > # This may be useful if you run a proxy server on > the > > firewall. > > $FW net ACCEPT > info > > $FW loc ACCEPT > info > > $FW all REJECT > info > > ----------------------------- > > > > I also read another document > > http://www.shorewall.net/Multiple_Zones.html. Does > my > > situation require multizone setup ? > > > > > > thx > > > > > > > > -Tom > > > -- > > > Tom Eastep \ Nothing is foolproof to a > > > sufficiently talented fool > > > Shoreline, \ http://shorewall.net > > > Washington USA \ [EMAIL PROTECTED] > > > PGP Public Key \ > > > https://lists.shorewall.net/teastep.pgp.key > > > > > > > > > > ------------------------------------------------------------------------- > > > Take Surveys. Earn Cash. Influence the Future of > IT > > > Join SourceForge.net's Techsay panel and you'll > get > > > the chance to share your > > > opinions on IT & business topics through brief > > > surveys-and earn cash > > > > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > _______________________________________________ > > > Shorewall-users mailing list > > > [email protected] > > > > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > > > > > > > > __________________________________________________________ > > Yahoo! India Answers: Share what you know. Learn > something new > > http://in.answers.yahoo.com/ > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of > IT > === message truncated === __________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
