Tom, Am 10.08.2008 um 22:09 schrieb Tom Eastep:
>> So, what did I do wrong here? I enabled multicasting in >> shorewall.conf > > The setting of that option is very unlikely to be relevant in your > case. RTFM, I see. OK. :-) > It is difficult to help when you have said nothing about your > Shorewall configuration other than you are using Shorewall-perl. > Please see http://www.shorewall.net/support.htm#Guidelines. > But for starters, have you enabled UDP port 5353 from the local net > to the firewall? you're right. Here's parts of my config (please see below for my comments) # === shorewall.conf === STARTUP_ENABLED=Yes VERBOSITY=2 SHOREWALL_COMPILER=shell LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/ash SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= IPSECFILE=zones LOCKFILE= DROP_DEFAULT="Drop" REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none" RSH_COMMAND='ssh [EMAIL PROTECTED] ${command}' RCP_COMMAND='scp ${files} [EMAIL PROTECTED]:${destination}' IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=INTERNAL TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=No BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=Yes IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No USE_ACTIONS=Yes OPTIMIZE=1 EXPORTPARAMS=Yes EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes MULTICAST=Yes DONT_LOAD= BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE # === zones === fw firewall net ipv4 # loc ipv4 # #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE # === interfaces === loc eth0 detect dhcp net eth1 detect dhcp,norfc1918,routefilter,tcpflags loc ppp+ - routeback loc vmnet+ detect routeback #LAST LINE -- DO NOT REMOVE # === policy === $FW all ACCEPT loc fw ACCEPT net all DROP info all all REJECT info #LAST LINE -- DO NOT REMOVE # === rules === #SECTION ESTABLISHED #SECTION RELATED SECTION NEW DNAT net loc:10.110.1.3 udp - 5060:5069 ACCEPT loc:10.110.1.3 net udp - 5060:5069 ACCEPT loc:10.110.1.3 net udp - 7078:7087 ACCEPT loc:10.110.1.3 net tcp 10000 SSH/ACCEPT net $FW SSH/ACCEPT loc all HTTP/ACCEPT net $FW HTTP/ACCEPT all net HTTPExt/ACCEPT all net HTTPS/ACCEPT all net Ping/ACCEPT all all FTP/ACCEPT net:92.51.129.12 $FW FTP/ACCEPT loc all IMAP/ACCEPT loc all IMAPS/ACCEPT loc all SMTP/ACCEPT net $FW SMTP/ACCEPT loc net:92.51.129.12 SMTPS/ACCEPT loc net:92.51.129.12 NTP/ACCEPT loc all ACCEPT loc net tcp 1863,5190,5050,5222,5223,5678 ACCEPT loc net udp - 16393:16402 ACCEPT all net:92.51.129.12 tcp 8443 Rsync/ACCEPT loc all RDP/ACCEPT loc all ACCEPT loc net tcp 8620 ACCEPT loc net tcp 6667 SNMP/ACCEPT loc all ACCEPT all all udp 5353 AllowICMPs/ACCEPT all all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # === masq === eth1 eth0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > [EMAIL PROTECTED]:~\ shorewall version > 4.0.13 > [EMAIL PROTECTED]:~\ sudo shorewall show capabilities > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Available > Physdev Match: Available > Physdev-is-bridged Support: Available > Packet length Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > Raw Table: Available > IPP2P Match: Not available > CLASSIFY Target: Available > Extended REJECT: Available > Repeat match: Available > MARK Target: Available > Extended MARK Target: Available > Mangle FORWARD Chain: Available > Comments: Available > Address Type Match: Available > TCPMSS Match: Available > Hashlimit Match: Available > NFQUEUE Target: Available > [EMAIL PROTECTED]:~\ uname -a > Linux cobalt.intern 2.6.24-19-server #1 SMP Sat Jul 12 00:40:01 UTC > 2008 i686 GNU/Linux AFAICS I've got a policy of ACCEPT loc->fw which should allow UDP/5353 from local to the firewall. However, reading this I'm not quite sure about the correctness of my zones config: Since $FW seems to be a default zone, do I need to define the zone "fw"? I assume I've got that from a tutorial somewhere but never bothered because it eventually worked. I appreciate your comments. Regards, Christian ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
