Tom,

Am 10.08.2008 um 22:09 schrieb Tom Eastep:

>> So, what did I do wrong here? I enabled multicasting in  
>> shorewall.conf
>
> The setting of that option is very unlikely to be relevant in your  
> case.

RTFM, I see. OK. :-)

> It is difficult to help when you have said nothing about your  
> Shorewall configuration other than you are using Shorewall-perl.  
> Please see http://www.shorewall.net/support.htm#Guidelines.
> But for starters, have you enabled UDP port 5353 from the local net  
> to the firewall?


you're right. Here's parts of my config (please see below for my  
comments)

# === shorewall.conf ===
STARTUP_ENABLED=Yes
VERBOSITY=2
SHOREWALL_COMPILER=shell
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
RSH_COMMAND='ssh [EMAIL PROTECTED] ${command}'
RCP_COMMAND='scp ${files} [EMAIL PROTECTED]:${destination}'
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=INTERNAL
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=No
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=Yes
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=Yes
DONT_LOAD=
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

# === zones ===
fw      firewall
net     ipv4                            #
loc     ipv4                            #
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

# === interfaces ===
loc     eth0    detect  dhcp
net     eth1    detect  dhcp,norfc1918,routefilter,tcpflags
loc     ppp+    -       routeback
loc     vmnet+  detect  routeback
#LAST LINE -- DO NOT REMOVE

# === policy ===
$FW     all     ACCEPT
loc     fw      ACCEPT
net     all     DROP    info
all     all     REJECT  info
#LAST LINE -- DO NOT REMOVE

# === rules ===
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNAT    net     loc:10.110.1.3  udp     -       5060:5069
ACCEPT  loc:10.110.1.3  net     udp     -       5060:5069
ACCEPT  loc:10.110.1.3  net     udp     -       7078:7087
ACCEPT  loc:10.110.1.3  net     tcp     10000
SSH/ACCEPT net       $FW
SSH/ACCEPT      loc     all
HTTP/ACCEPT     net     $FW
HTTP/ACCEPT     all     net
HTTPExt/ACCEPT  all     net
HTTPS/ACCEPT    all     net
Ping/ACCEPT     all     all
FTP/ACCEPT      net:92.51.129.12        $FW
FTP/ACCEPT      loc     all
IMAP/ACCEPT     loc     all
IMAPS/ACCEPT    loc     all
SMTP/ACCEPT     net     $FW
SMTP/ACCEPT     loc     net:92.51.129.12
SMTPS/ACCEPT    loc     net:92.51.129.12
NTP/ACCEPT      loc     all
ACCEPT  loc     net     tcp     1863,5190,5050,5222,5223,5678
ACCEPT  loc     net     udp     -       16393:16402
ACCEPT  all     net:92.51.129.12        tcp     8443
Rsync/ACCEPT    loc     all
RDP/ACCEPT      loc     all
ACCEPT  loc     net     tcp     8620
ACCEPT  loc     net     tcp     6667
SNMP/ACCEPT     loc     all
ACCEPT  all     all     udp     5353
AllowICMPs/ACCEPT       all     all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

# === masq ===
eth1    eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

> [EMAIL PROTECTED]:~\ shorewall version
> 4.0.13
> [EMAIL PROTECTED]:~\ sudo shorewall show capabilities
> Shorewall has detected the following iptables/netfilter capabilities:
>    NAT: Available
>    Packet Mangling: Available
>    Multi-port Match: Available
>    Extended Multi-port Match: Available
>    Connection Tracking Match: Available
>    Packet Type Match: Available
>    Policy Match: Available
>    Physdev Match: Available
>    Physdev-is-bridged Support: Available
>    Packet length Match: Available
>    IP range Match: Available
>    Recent Match: Available
>    Owner Match: Available
>    Ipset Match: Not available
>    CONNMARK Target: Available
>    Extended CONNMARK Target: Available
>    Connmark Match: Available
>    Extended Connmark Match: Available
>    Raw Table: Available
>    IPP2P Match: Not available
>    CLASSIFY Target: Available
>    Extended REJECT: Available
>    Repeat match: Available
>    MARK Target: Available
>    Extended MARK Target: Available
>    Mangle FORWARD Chain: Available
>    Comments: Available
>    Address Type Match: Available
>    TCPMSS Match: Available
>    Hashlimit Match: Available
>    NFQUEUE Target: Available
> [EMAIL PROTECTED]:~\ uname -a
> Linux cobalt.intern 2.6.24-19-server #1 SMP Sat Jul 12 00:40:01 UTC  
> 2008 i686 GNU/Linux


AFAICS I've got a policy of ACCEPT loc->fw which should allow UDP/5353  
from local to the firewall. However, reading this I'm not quite sure  
about the correctness of my zones config: Since $FW seems to be a  
default zone, do I need to define the zone "fw"? I assume I've got  
that from a tutorial somewhere but never bothered because it  
eventually worked.

I appreciate your comments. Regards,

Christian

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to