2009/3/21 Tom Eastep <[email protected]>
> Thomas Mørch wrote:
> >
> >
> > 2009/3/21 Tom Eastep <[email protected] <mailto:
> [email protected]>>
> >
> > Thomas Mørch wrote:
> > >
> > >
> > > 2009/3/20 Tom Eastep <[email protected]
> > <mailto:[email protected]> <mailto:[email protected]
> > <mailto:[email protected]>>>
> > >
> > > Thomas Mørch wrote:
> > > > I just did an hw upgrade on my FW (new cpu, mb etc.) but
> without
> > > > reinstall of my debian system.
> > > >
> > > > but after my upgrade I can't get access to the internet
> through
> > > the fw.
> > > >
> > > > 1. I can ping the FW from loc,
> > > > 2. I can ping net from FW
> > > > 3. I can't ping loc from FW? (ICMP host unreachable)
> > > > 4. I can access the apache server running on FW from both
> > loc and net
> > >
> > > Can you do any of these things if you disable Shorewall
> (shorewall
> > > clear)?
> > >
> > >
> > > I tried to ping a host on loc, without shorewall loaded (shorewall
> > > clear), and it worked fine.
> > > After I started shorewall I get : "From 192.168.2.12 icmp_seq=1
> > > Destination Port Unreachable"
> > > 192.168.2.12 is the firewalls loc ip address. I tried to ping
> > > 192.168.2.20 on my loc net.
> >
> > 192.168.2.20 is not in the loc zone. It is in the stat zone and you
> have
> > not enabled ping from fw->stat.
> >
> >
> > stat is defined as a nested zone within loc :
> > zones:
> > loc ipv4
> > kids:loc ipv4
> > voks:loc ipv4
> > stat:loc ipv4
> > and in hosts it's defined as a "subnet" of loc:
> > loc eth0:192.168.2.0/24 <http://192.168.2.0/24>
> > kids eth0:192.168.2.192/26 <http://192.168.2.192/26>
> > voks eth0:192.168.2.128/26 <http://192.168.2.128/26>
> > stat eth0:192.168.2.127/25 <http://192.168.2.127/25>
> > In my policy file I have set the nested zones to CONTINUE :
> > voks all CONTINUE
> > kids all CONTINUE
> > stat all CONTINUE
> > So I thought that if I have a rule that allows the fw to ping loc, then
> > it would enable ping to the whole loc network (including voks/kids/stat
> > zones)
> >
> > Is this assumption wrong?
>
> Yes. fw->stat traffic matches none of those CONTINUE policies
>
> you would need to add
>
> stat all CONTINUE
> kids all CONTINUE
> voks all CONTINUE
>
It works now (Ping to all hosts on loc network) also I can now use the fw as
a masq fw, thanks for the great support Tom :)
Now I just need to figure out how to let the kids have access to their
precious MSN messenger video calls (Playing arround with dante at the
moment..)
/ Thomas
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
