Re: [Shorewall-users] Internet access from loc <-> net doesn't work..

Sat, 21 Mar 2009 03:44:18 -0700 

2009/3/21 Tom Eastep <[email protected]>

> Thomas Mørch wrote:
> >
> >
> > 2009/3/20 Tom Eastep <[email protected] <mailto:
> [email protected]>>
> >
> >     Thomas Mørch wrote:
> >     > I just did an hw upgrade on my FW (new cpu, mb etc.) but without
> >     > reinstall of my debian system.
> >     >
> >     > but after my upgrade I can't get access to the internet through
> >     the fw.
> >     >
> >     > 1. I can ping the FW from loc,
> >     > 2. I can ping net from FW
> >     > 3. I can't ping loc from FW? (ICMP host unreachable)
> >     > 4. I can access the apache server running on FW from both loc and
> net
> >
> >     Can you do any of these things if you disable Shorewall (shorewall
> >     clear)?
> >
> >
> > I tried to ping a host on loc, without shorewall loaded (shorewall
> > clear), and it worked fine.
> > After I started shorewall I get : "From 192.168.2.12 icmp_seq=1
> > Destination Port Unreachable"
> > 192.168.2.12 is the firewalls loc ip address. I tried to ping
> > 192.168.2.20 on my loc net.
>
> 192.168.2.20 is not in the loc zone. It is in the stat zone and you have
> not enabled ping from fw->stat.
>

stat is defined as a nested zone within loc :
zones:
loc     ipv4
kids:loc        ipv4
voks:loc        ipv4
stat:loc        ipv4
and in hosts it's defined as a "subnet" of loc:
loc     eth0:192.168.2.0/24
kids    eth0:192.168.2.192/26
voks    eth0:192.168.2.128/26
stat    eth0:192.168.2.127/25
In my policy file I have set the nested zones to CONTINUE :
voks            all             CONTINUE
kids            all             CONTINUE
stat            all             CONTINUE
So I thought that if I have a rule that allows the fw to ping loc, then it
would enable ping to the whole loc network (including voks/kids/stat zones)

Is this assumption wrong?

/ Thomas

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to