Bill
from the FW I can ping out into the internet. And Firefox will
connect to websites.
But from 192.168.2.8 neither will work. And nothing shows up the
messages file.
As frustrated as I am, I am sure its worse for you since you can't see
what is going on here.
I am sure I have some minor statement wrong that's keeping it from running.
Thanks for you help
Jim
On 12/12/2017 12:45 PM, Bill Shirley wrote:
If you want to accept traffic from the wan zone, add a policy before
the wan all DROP info line:
wan fw ACCEPT
wan all DROP info
OR add a rule:
SECTION NEW
ACCEPT wan:192.168.1.1 fw tcp http
Bill
On 12/12/2017 2:36 PM, jamby wrote:
Bill
Made those changes and attached the new files. Still not getting
it to work.
Dec 12 11:19:19 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56014 DF
PROTO=TCP SPT=41759 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 12 11:19:19 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26910 DF
PROTO=TCP SPT=43434 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 12 11:20:19 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=650 DF PROTO=TCP
SPT=58137 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 12 11:20:19 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7580 DF PROTO=TCP
SPT=38121 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 12 11:20:19 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14461 DF
PROTO=TCP SPT=45742 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 12 11:26:18 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45571 DF
PROTO=TCP SPT=41082 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 12 11:26:18 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4613 DF PROTO=TCP
SPT=35884 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 12 11:26:18 nub3 kernel: Shorewall:wan-fw:REJECT:IN=enp4s0 OUT=
MAC=00:18:f8:0c:9e:a6:b4:75:0e:39:a6:c4:08:00 SRC=192.168.1.1
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27356 DF
PROTO=TCP SPT=40756 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
On 12/12/2017 11:02 AM, Bill Shirley wrote:
For Red Hat based systems, yes remove GATEWAY= from
/etc/sysconfig/network and /etc/sysconfig/network-scripts/ifcfg-enp3s0
Ensure that there is a:
GATEWAY=192.168.1.1
DEFROUTE=yes
in /etc/sysconfig/network-scripts/ifcfg-enp4s0
Bill
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="no"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
#IPADDR="192.168.2.3"
IPADDR="192.168.2.1"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_FAILURE_FATAL="no"
NAME="enp3s0"
DEVICE="enp3s0"
ONBOOT="yes"
TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="yes"
GATEWAY="192.168.1.1"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
#IPADDR="192.168.2.6"
IPADDR="192.168.1.2"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_FAILURE_FATAL="no"
NAME="enp4s0"
DEVICE="enp4s0"
ONBOOT="yes"
#
# Shorewall - Sample Policy File for two-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw all ACCEPT
lan fw ACCEPT
lan wan ACCEPT
wan fw ACCEPT
#wan all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#
# Shorewall - Sample Rules File for two-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK CONNLIMIT TIME
HEADERS SWITCH HELPER
# PORT PORT(S)
DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Don't allow connection pickup from the wan
#
Invalid(DROP) wan all tcp
#
# Accept DNS connections from the firewall to the wanwork
#
DNS(ACCEPT) $FW wan
#
# Accept SSH connections from the lanal wanwork for administration
#
SSH(ACCEPT) lan $FW
#
# Allow Ping from the lanal wanwork
#
Ping(ACCEPT) lan $FW
### added now 11dec17 3:18
Ping(ACCEPT) lan wan
#
# Drop Ping from the "bad" wan zone.. and prevent your log from being flooded..
#
Ping(DROP) wan $FW
ACCEPT $FW lan icmp
ACCEPT $FW wan icmp
#
## Allow Mail both ways local network
##
ACCEPT lan $FW tcp smtp
ACCEPT $FW lan tcp smtp
#
# Allow http both ways local network
#
ACCEPT lan $FW tcp http
ACCEPT $FW lan tcp http
#
# Allow Ntpd from lan to $FW
#
NTP(ACCEPT) lan $FW
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
