headers
Tom Eastep | 12 Feb 2006 02:06
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

On Saturday 11 February 2006 16:57, Lee Zelyck wrote:

>
> Feb 11 12:24:02 firewall kernel:
> Shorewall:all2all:REJECT:IN=eth1 OUT=
> MAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00
> SRC=192.168.77.10 DST=192
> .168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38322
> DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535 RES=0x00
> SYN URGP=0

You are running a proxy on the firewall.
That proxy is listening on port 8080.
You have not taken the steps necessary to enable this manual proxy.
For instructions, please see 
http://www1.shorewall.net/Shorewall_Squid_Usage.html.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Permalink | Reply |
headers
Lee Zelyck | 12 Feb 2006 02:45
Picon
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

Hello Mr. Eastep!

Thank you for pointing me in the direction of the
squid configuration page.  I had somehow surfed past
that one.

Anyway, I followed the steps at the bottom of the
page, and made the appropriate changes to my
/etc/shorewall/rules.  The result is that 'rules' no
looks like:

firewall:/etc/shorewall# more rules.short
ACCEPT  loc             $FW             tcp     8080
ACCEPT  $FW             net             tcp     80,443
SECTION NEW

However, when I try to start shorewall with these new
rules I get errors:

firewall:/etc/shorewall# /etc/init.d/shorewall stop
Stopping "Shorewall firewall": done.
firewall:/etc/shorewall# /etc/init.d/shorewall start
Starting "Shorewall firewall": /etc/init.d/shorewall:
line 77: 23697 Terminated              $SRWL start
>>$INITLOG 2>&1
not done (check /var/log/shorewall-init.log).
firewall:/etc/shorewall#

The messages in /var/log/shorewall-init.log say:
(Continue reading)

Permalink | Reply |
headers
Tom Eastep | 12 Feb 2006 03:44
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

On Saturday 11 February 2006 17:45, Lee Zelyck wrote:
> Hello Mr. Eastep!
>
> Thank you for pointing me in the direction of the
> squid configuration page.  I had somehow surfed past
> that one.
>
> Anyway, I followed the steps at the bottom of the
> page, and made the appropriate changes to my
> /etc/shorewall/rules.  The result is that 'rules' no
> looks like:
>
> firewall:/etc/shorewall# more rules.short
> ACCEPT  loc             $FW             tcp     8080
> ACCEPT  $FW             net             tcp     80,443
> SECTION NEW

Didn't you wonder what that SECTION thingy was? HINT: PUT YOUR RULES AFTER IT.

Also, if you haven't configured your firewall using one of the Guides at 
http://www.shorewall.net/shorewall_quickstart_guide.htm then please do so 
before posting again.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
(Continue reading)

Permalink | Reply |
headers
Lee Zelyck | 12 Feb 2006 04:06
Picon
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

Hi again Mr. Eastep,

> > firewall:/etc/shorewall# more rules.short
> > ACCEPT  loc             $FW             tcp    
> 8080
> > ACCEPT  $FW             net             tcp    
> 80,443
> > SECTION NEW
> 
> Didn't you wonder what that SECTION thingy was?
> HINT: PUT YOUR RULES AFTER IT.

Well, I did wonder, but I guess it just didn't occurr
to me that 'SECTION NEW' meant 'PLACE NEW RULES HERE'.
 Now that I know, I can certainly appreciate its
inclussion, and for your pointing it out.

> Also, if you haven't configured your firewall using
> one of the Guides at 
>
http://www.shorewall.net/shorewall_quickstart_guide.htm
> then please do so 
> before posting again.

Thank you.  I have been using this one
http://www.shorewall.net/two-interface.htm.

Thanks again,
Lee
(Continue reading)

Permalink | Reply |
headers
Tom Eastep | 12 Feb 2006 04:18
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

On Saturday 11 February 2006 19:06, Lee Zelyck wrote:

> >
> > Didn't you wonder what that SECTION thingy was?
> > HINT: PUT YOUR RULES AFTER IT.
>
> Well, I did wonder, but I guess it just didn't occurr
> to me that 'SECTION NEW' meant 'PLACE NEW RULES HERE'.
>  Now that I know, I can certainly appreciate its
> inclussion, and for your pointing it out.
>

1. All of the rules that Shorewall had provided for you were after "SECTION 
NEW"
2. You wondered about it but still added your rules BEFORE the "SECTION NEW".
3. When you saw an error message that said

--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Permalink | Reply |
headers
Tom Eastep | 12 Feb 2006 04:21
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

On Saturday 11 February 2006 19:18, Tom Eastep wrote:
> On Saturday 11 February 2006 19:06, Lee Zelyck wrote:
> > > Didn't you wonder what that SECTION thingy was?
> > > HINT: PUT YOUR RULES AFTER IT.
> >
> > Well, I did wonder, but I guess it just didn't occurr
> > to me that 'SECTION NEW' meant 'PLACE NEW RULES HERE'.
> >  Now that I know, I can certainly appreciate its
> > inclussion, and for your pointing it out.
>
> 1. All of the rules that Shorewall had provided for you were after "SECTION
> NEW"
> 2. You wondered about it but still added your rules BEFORE the "SECTION
> NEW".
> 3. When you saw an error message that said 

   ERROR: Duplicate or out of order SECTION NEW

then you didn't connect the two?

Ok....

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Permalink | Reply |
headers
Tom Eastep | 12 Feb 2006 04:57
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

On Saturday 11 February 2006 19:21, Tom Eastep wrote:
> On Saturday 11 February 2006 19:18, Tom Eastep wrote:
> > On Saturday 11 February 2006 19:06, Lee Zelyck wrote:
> > > > Didn't you wonder what that SECTION thingy was?
> > > > HINT: PUT YOUR RULES AFTER IT.
> > >
> > > Well, I did wonder, but I guess it just didn't occurr
> > > to me that 'SECTION NEW' meant 'PLACE NEW RULES HERE'.
> > >  Now that I know, I can certainly appreciate its
> > > inclussion, and for your pointing it out.
> >
> > 1. All of the rules that Shorewall had provided for you were after
> > "SECTION NEW"
> > 2. You wondered about it but still added your rules BEFORE the "SECTION
> > NEW".
> > 3. When you saw an error message that said
>
>    ERROR: Duplicate or out of order SECTION NEW
>
> then you didn't connect the two?
>
> Ok....

I've added the following instructions to the rules file in both the 3.0 and 
3.1 threads...

# NOTE: If you don't understand the above description of SECTIONS then just 
#       PUT YOUR RULES AFTER THE "SECTION NEW" BELOW.

Hopefully that will help.
(Continue reading)

Permalink | Reply |
headers
Lee Zelyck | 12 Feb 2006 18:59
Picon
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

Hi again Mr. Eastep,

> > > 1. All of the rules that Shorewall had provided
> for you were after
> > > "SECTION NEW"

Well, perhaps I'm thick, but I just didn't see all of
the 'rules that shorewall had provided prior to the
"SECTION NEW" line.  There was quite an excellent list
of examples, but no 'rules' in the the actual 'rules' 
file like like the one I subsequently added. 

> > > 2. You wondered about it but still added your
> rules BEFORE the "SECTION
> > > NEW".

Umm.. yeah.  Sorry. I just saw the line "#LAST LINE --
ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" and
though that anywhere above it was fine.  Perhaps I
thought the line was commented out the same as the
preceding sections: '#SECTION ESTABLISHED' and
'#SECTION RELATED'.

> > > 3. When you saw an error message that said
> > � �ERROR: Duplicate or out of order SECTION
NEW
> > then you didn't connect the two?
> >
> > Ok....
(Continue reading)

Permalink | Reply |
headers
Tom Eastep | 12 Feb 2006 20:41
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

On Sunday 12 February 2006 09:59, Lee Zelyck wrote:

>
> > I've added the following instructions to the rules
> > file in both the 3.0 and
> > 3.1 threads...
> >
> > # NOTE: If you don't understand the above
> > description of SECTIONS then just
> > #       PUT YOUR RULES AFTER THE "SECTION NEW"
> > BELOW.
> >
> > Hopefully that will help.
>
> I'm certain it will.
>

I've also added a warning to each of the QuickStart Guides, cautioning folks 
to add their rules after the line that reads SECTION NEW. 

Sorry for the unclear instructions,
-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Permalink | Reply |
headers
Lee Zelyck | 12 Feb 2006 20:46
Picon
Favicon

Re: Local Network Can't Get Past Shorewall to the Internet

Hi Mr. Eastep,

> I've also added a warning to each of the QuickStart
> Guides, cautioning folks 
> to add their rules after the line that reads SECTION
> NEW. 

I think that will also hepl.

> Sorry for the unclear instructions,

I certainly wouldn't call the instructions or comments
unclear.  I think its just a new lingo.  Thank you
very much for all your help clarifying it to me.

Sincerely,
Lee

> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep <at> shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 

__________________________________________________
Do You Yahoo!?
(Continue reading)

Permalink | Reply |

Gmane