Hello all,
first of all I must admit I'm a total newbie on firewall related things.
Anyway: I'm trying to setup a small NAS in my LAN (behind a router) as a
*services* provider (ftp, web, openvpn ... ). The box has only one interface:
eth0.
For OpenVPN to work as expected with a tap interface I had to create a bridge:
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000d0b994479 no eth0
tap
As ShorewallGeek pointed me to the homepage notice stating that since kernel
2.6.20 there are problems in Shorewall itself, I upgraded to version 4.0 along
with shorewall-perl.
upgrading the previous *really* simple Shorewall config for the box is driving
me crazy, because of the restrictions imposed (plus the aforementioned newbie
state).
The problem is: how do I translate the policy
ACCEPT $fw net
?
I tried to add a policy like:
ACCEPT $fw world
where world is defined as br0
but:
# ping -c 3 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.147 icmp_seq=1 Destination Host Unreachable
where 192.168.1.147 is the ip of the box and 192.168.1.254 is the ip of the
router/gateway in the LAN.
in the logs I get:
Shorewall:fw2world:REJECT:IN= OUT=br0 SRC=192.168.1.147
DST=192.168.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21586 SEQ=1
thanks for your patience and attention.
--
The Peach
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
