Mailing List for Experienced Users of Shoreline Firewall (Shorewall)

Starwatcher | 1 Aug 2006 03:40

Hello?

IS there problem with the list? I haven't ggotten anything since 7/25.

Kev

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Tom Eastep | 1 Aug 2006 03:55

Re: Hello?

Starwatcher wrote:
> IS there problem with the list? I haven't ggotten anything since 7/25.

Not that I can see -- I've been receiving messages regularly.

-Tom

PS -- I am not an admin for the Shorewall lists. The Admin's email
addresses are listed on the list info page at Sourceforge.

--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Roberto C. Sanchez | 1 Aug 2006 04:00

Re: Hello?

Starwatcher wrote:
> IS there problem with the list? I haven't ggotten anything since 7/25.
> 
> Kev
> 

Nothing other than that which can be attributed to the usually low
quality sourceforge mailing list service.

-Roberto
--

-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Tom Eastep | 1 Aug 2006 04:58

Downtime Continues

DSL service has still not been restored.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Wilson Kwok | 1 Aug 2006 14:30

Clients can't through to internet

I just setup the Shorewall in my school, but now all clients can't through to internet, all servers can through to internet with NAT, when I disabled NAT that all servers can't through to internet.

Below is my school network:

internet ---> shorewall ----> loc ---> ciso router ---> loc1

Below is my config files:

policy:
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc  net  ACCEPT
loc  $FW  DROP  info
loc  all  DROP  info

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW  net  DROP  info
$FW  loc  DROP  info
$FW  all  DROP  info

#
# Policies for traffic originating from the Internet zone (net)
#
net  $FW  DROP  info
net  loc  DROP  info
net  all  DROP  info

# THE FOLLOWING POLICY MUST BE LAST
all all DROP info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

zones:
#ZONE TYPE OPTIONS   IN   OUT
#     OPTIONS   OPTIONS
fw firewall
net ipv4
loc1    ipv4
loc ipv4
vpn     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

rules:
####################################################################
#       Accept connections from internet to the local network      #
####################################################################
HTTP/ACCEPT   net    loc:192.168.0.8
HTTP/ACCEPT   net    loc:192.168.0.102
HTTP/ACCEPT   net    loc:192.168.0.104
HTTP/ACCEPT   net    loc:192.168.0.105
HTTP/ACCEPT   net    loc:192.168.0.106
#HTTP/ACCEPT   net    loc:192.168.0.108

#SSL/ACCEPT net loc:192.168.0.108

FTP/ACCEPT    net   loc:192.168.0.3
FTP/ACCEPT    net   loc:192.168.0.8
FTP/ACCEPT    net   loc:192.168.0.105
FTP/ACCEPT    net   loc:192.168.0.106

DNAT net loc:192.168.0.109 tcp 25 - 210.0.214.132

abc/ACCEPT   net    loc:192.168.0.83

VNC/ACCEPT   net    loc:192.168.0.105

SSH/ACCEPT net:210.3.33.242-210.3.33.254    loc:192.168.0.102
#############################################################
# Allow connection from local network to firewall     #
#############################################################
SSH/ACCEPT       loc    $FW

Ping/ACCEPT loc $FW

#############################################################################
# Allow connection from firewall to the internet and local network    #
#############################################################################
Ping/ACCEPT     $FW    loc
Ping/ACCEPT     $FW    net

#DNS/ACCEPT $FW net
#########################################################################
# Reject Ping from the internet and prevent your log from being flooded.#
#########################################################################
Ping/DROP net $FW

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

hosts:
#ZONE HOST(S) OPTIONS
loc1 eth0:10.0.15.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

interface:
#ZONE INTERFACE BROADCAST OPTIONS
net     eth1            detect          tcpflags,routefilter,nosmurfs,norfc1918
loc     eth0            detect          tcpflags,detectnets,nosmurfs
vpn     tun0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

masq:
#ZONE INTERFACE BROADCAST OPTIONS
net     eth1            detect          tcpflags,routefilter,nosmurfs,norfc1918
loc     eth0            detect          tcpflags,detectnets,nosmurfs
vpn     tun0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

nat:
#EXTERNAL INTERFACE INTERNAL ALL  LOCAL
#      INTERFACES
210.0.214.130 eth1:1          192.168.0.2
210.0.214.131   eth1:2          192.168.0.83
210.0.214.132   eth1:3          192.168.0.104
210.0.214.133   eth1:4          192.168.0.105
210.0.214.134   eth1:5          192.168.0.106
210.0.214.135   eth1:6          192.168.0.102
210.0.214.136   eth1:7          192.168.0.3
210.0.214.137   eth1:8          192.168.0.8
210.0.214.138   eth1:9          192.168.0.108
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

_______________________________________
YM - 離線訊息
就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
http://messenger.yahoo.com.hk

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Tom Eastep | 1 Aug 2006 16:09

Re: Clients can't through to internet

Wilson Kwok wrote:
> I just setup the Shorewall in my school, but now all clients can't
> through to internet, all servers can through to internet with NAT, when
> I disabled NAT that all servers can't through to internet.

Unfortunately, you have not explained where the 'clients' are and where
the 'servers' are. Are the 'clients' are in zone loc1 and the servers
are in 'loc'?

You have also not given us any information about the IP configuration
and routing of this firewall -- Wilson, THAT INFORMATION IS IMPORTANT.

Given that the servers have RFC 1918 addresses, it is not surprising
that the servers can't access the internet if you disable NAT. But
without knowing the IP configuration (and whether the upstream routers
are configured to route 192.168.0.0/24 through the Shorewall box), we
can't possibly know if that is a problem or "just the way it works".

As I have explained hundreds of times on this list, I really don't want
to see all of your configuration files -- as described at
http://www.shorewall.net/support.htm, I would prefer that you:

a) "shorewall reset"
b) Try to connect
c) "shorewall dump > dump.txt"
d) Post the 'dump.txt' file as an attachment (compressed is best).
e) Explain:
	1) The IP address of the system that you were trying to
	   connect from.
	2) The IP address of the system that you were trying to
	   connect to.
	3) What happened (timeout? connection refused? ...)

If you do the above, then we will generally have all the information
that we need to solve your problem.

> 
> Below is my school network:
> internet ---> shorewall ----> loc ---> ciso router ---> loc1
> 
> Below is my config files:
> 
> zones:
> #ZONE TYPE OPTIONS   IN   OUT
> #     OPTIONS   OPTIONS
> fw firewall
> net ipv4
> loc1    ipv4
> loc ipv4
> vpn     ipv4
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> 
> rules:
> ####################################################################
> #       Accept connections from internet to the local network      #
> ####################################################################
> HTTP/ACCEPT   net    loc:192.168.0.8
> HTTP/ACCEPT   net    loc:192.168.0.102
> HTTP/ACCEPT   net    loc:192.168.0.104
> HTTP/ACCEPT   net    loc:192.168.0.105
> HTTP/ACCEPT   net    loc:192.168.0.106
> #HTTP/ACCEPT   net    loc:192.168.0.108
> #SSL/ACCEPT   net    loc:192.168.0.108
> FTP/ACCEPT    net   loc:192.168.0.3 
> FTP/ACCEPT    net   loc:192.168.0.8  
> FTP/ACCEPT    net   loc:192.168.0.105                    
> FTP/ACCEPT    net   loc:192.168.0.106                    
> DNAT          net   loc:192.168.0.109  tcp      25      -        
> 210.0.214.132
> abc/ACCEPT   net    loc:192.168.0.83                
>               
> VNC/ACCEPT   net    loc:192.168.0.105
>            
> SSH/ACCEPT  net:210.3.33.242-210.3.33.254    loc:192.168.0.102             
> #############################################################
> # Allow connection from local network to firewall     #
> #############################################################
> SSH/ACCEPT       loc    $FW
> Ping/ACCEPT  loc    $FW 

So you are not accepting Ping from loc1->$FW? Can you 'clients' ping the
firewall if you add:

Ping/ACCEPT    loc1   $FW

> #############################################################################
> # Allow connection from firewall to the internet and local network    #
> #############################################################################
> Ping/ACCEPT     $FW    loc

Ditto here... If you add:

Ping/ACCEPT    $FW    loc1

Then can the firewall ping hosts in the loc1 zone?

> Ping/ACCEPT     $FW    net          
> #DNS/ACCEPT      $FW    net
> #########################################################################
> # Reject Ping from the internet and prevent your log from being flooded.#
> #########################################################################
> Ping/DROP net    $FW              
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Your rules file doesn't mention the 'loc1' zone at all and your policies
forbid any access to that zone. So communication to/from 'loc1' is not
possible with Shorewall started. Do you really need the 'loc1' zone? See
http://www.shorewall.net/Multiple_Zones.html

> 
> hosts:
> #ZONE HOST(S)     OPTIONS
> loc1    eth0:10.0.15.0/24
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
> 
> interface:
> #ZONE INTERFACE BROADCAST OPTIONS
> net     eth1            detect         
> tcpflags,routefilter,nosmurfs,norfc1918
> loc     eth0            detect          tcpflags,detectnets,nosmurfs

The 'detectnets' option isn't appropriate when you have two zones
connected through the same interface.

> vpn     tun0
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> masq:
> #ZONE INTERFACE BROADCAST OPTIONS
> net     eth1            detect         
> tcpflags,routefilter,nosmurfs,norfc1918
> loc     eth0            detect          tcpflags,detectnets,nosmurfs
> vpn     tun0
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 

That can't possibly be your /etc/shorewall/masq file -- it is an exact
copy of what you posted for /etc/shorewall/interfaces!

Please provide the information requested above and we will try to help.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Tom Eastep | 1 Aug 2006 18:50

Service restored to shorewall.net

My DSL service has been restored. The following systems should now be accessible
again:

www1.shorewall.net
ftp1.shorewall.net
lists.shorewall.net
mail.shorewall.net
rsync.shorewall.net

My apologies for any inconvenience,
-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

David Fletcher | 1 Aug 2006 22:39

Re: Syslog messages ipt_physdev & iptable_raw after upgrade

On Sat, 29 Jul 2006 12:11:55 -0700
shorewall-users-request <at> lists.sourceforge.net wrote:

> >      modprobe: Can't locate module ipt_physdev
> >      modprobe: Can't locate module iptable_raw 
> > 
> 
> These are harmless. They result when Shorewall is probing your system to
> determine which features it supports.
> 
> -Tom

Thanks Tom, it's good to know I don't have to worry about these.

David.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Wilson Kwok | 2 Aug 2006 03:46

回覆： Re: Clients can't through to internet

Dear Tome Eastep.

Thank your reply, I sent the attached file to this account teastep <at> shorewall.net.

Thank

Tom Eastep <teastep <at> avvanta.com> 說：

Wilson Kwok wrote:
> I just setup the Shorewall in my school, but now all clients can't
> through to internet, all servers can through to internet with NAT, when
> I disabled NAT that all servers can't through to internet.

Unfortunately, you have not explained where the 'clients' are and where
the 'servers' are. Are the 'clients' are in zone loc1 and the servers
are in 'loc'?

You have also not given us any information about the IP configuration
and routing of this firewall -- Wilson, THAT INFORMATION IS IMPORTANT.

Given that the servers have RFC 1918 addresses, it is not surprising
that the servers can't access the internet if you disable NAT. But
without knowing the IP configuration (and whether the upstream routers
are configured to route 192.168.0.0/24 through the Shorewall box), we
can't possibly know if that is a problem or "just the way it works".

As I have explained hundreds of times on this list, I really don't want
to see all of your configuration files -- as described at
http://www.shorewall.net/support.htm, I would prefer that you:

a) "shorewall reset"
b) Try to connect
c) "shorewall dump > dump.txt"
d) Post the 'dump.txt' file as an attachment (compressed is best).
e) Explain:
1) The IP address of the system that you were trying to
connect from.
2) The IP address of the system that you were trying to
connect to.
3) What happened (timeout? connection refused? ...)

If you do the above, then we will generally have all the information
that we need to solve your problem.

>
> Below is my school network:
> internet ---> shorewall ----> loc ---> ciso router ---> loc1
>
> Below is my config files:
>
> zones:
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> fw firewall
> net ipv4
> loc1 ipv4
> loc ipv4
> vpn ipv4
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
>
> rules:
> ####################################################################
> # Accept connections from internet to the local network #
> ####################################################################
> HTTP/ACCEPT net loc:192.168.0.8
> HTTP/ACCEPT net loc:192.168.0.102
> HTTP/ACCEPT net loc:192.168.0.104
> HTTP/ACCEPT net loc:192.168.0.105
> HTTP/ACCEPT net loc:192.168.0.106
> #HTTP/ACCEPT net loc:192.168.0.108
> #SSL/ACCEPT net loc:192.168.0.108
> FTP/ACCEPT net loc:192.168.0.3
> FTP/ACCEPT net loc:192.168.0.8
> FTP/ACCEPT net loc:192.168.0.105
> FTP/ACCEPT net loc:192.168.0.106
> DNAT net loc:192.168.0.109 tcp 25 -
> 210.0.214.132
> abc/ACCEPT net loc:192.168.0.83
>
> VNC/ACCEPT net loc:192.168.0.105
>
> SSH/ACCEPT net:210.3.33.242-210.3.33.254 loc:192.168.0.102
> #############################################################
> # Allow connection from local network to firewall #
> #############################################################
> SSH/ACCEPT loc $FW
> Ping/ACCEPT loc $FW

So you are not accepting Ping from loc1->$FW? Can you 'clients' ping the
firewall if you add:

Ping/ACCEPT loc1 $FW

> #############################################################################
> # Allow connection from firewall to the internet and local network #
> #############################################################################
> Ping/ACCEPT $FW loc

Ditto here... If you add:

Ping/ACCEPT $FW loc1

Then can the firewall ping hosts in the loc1 zone?

> Ping/ACCEPT $FW net
> #DNS/ACCEPT $FW net
> #########################################################################
> # Reject Ping from the internet and prevent your log from being flooded.#
> #########################################################################
> Ping/DROP net $FW
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Your rules file doesn't mention the 'loc1' zone at all and your policies
forbid any access to that zone. So communication to/from 'loc1' is not
possible with Shorewall started. Do you really need the 'loc1' zone? See
http://www.shorewall.net/Multiple_Zones.html

>
> hosts:
> #ZONE HOST(S) OPTIONS
> loc1 eth0:10.0.15.0/24
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
>
> interface:
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth1 detect
> tcpflags,routefilter,nosmurfs,norfc1918
> loc eth0 detect tcpflags,detectnets,nosmurfs

The 'detectnets' option isn't appropriate when you have two zones
connected through the same interface.

> vpn tun0
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> masq:
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth1 detect
> tcpflags,routefilter,nosmurfs,norfc1918
> loc eth0 detect tcpflags,detectnets,nosmurfs
> vpn tun0
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>

That can't possibly be your /etc/shorewall/masq file -- it is an exact
copy of what you posted for /etc/shorewall/interfaces!

Please provide the information requested above and we will try to help.

-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep <at> shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

headers

Wilson Kwok | 2 Aug 2006 04:00

回覆： Re: Clients can't through to internet

1) The IP address of the system that you were trying to
connect from.

I can connect to school NATed server from home.

2) The IP address of the system that you were trying to
connect to.

All clients can't connect to world , except all servers with NAT.

3) What happened (timeout? connection refused? ...)

I was checked the /var/log/messages, but there no timeout, connection refused etc.

Tom Eastep <teastep <at> avvanta.com> 說：

Wilson Kwok wrote:
> I just setup the Shorewall in my school, but now all clients can't
> through to internet, all servers can through to internet with NAT, when
> I disabled NAT that all servers can't through to internet.

Unfortunately, you have not explained where the 'clients' are and where
the 'servers' are. Are the 'clients' are in zone loc1 and the servers
are in 'loc'?

You have also not given us any information about the IP configuration
and routing of this firewall -- Wilson, THAT INFORMATION IS IMPORTANT.

Given that the servers have RFC 1918 addresses, it is not surprising
that the servers can't access the internet if you disable NAT. But
without knowing the IP configuration (and whether the upstream routers
are configured to route 192.168.0.0/24 through the Shorewall box), we
can't possibly know if that is a problem or "just the way it works".

As I have explained hundreds of times on this list, I really don't want
to see all of your configuration files -- as described at
http://www.shorewall.net/support.htm, I would prefer that you:

a) "shorewall reset"
b) Try to connect
c) "shorewall dump > dump.txt"
d) Post the 'dump.txt' file as an attachment (compressed is best).
e) Explain:
1) The IP address of the system that you were trying to
connect from.
2) The IP address of the system that you were trying to
connect to.
3) What happened (timeout? connection refused? ...)

If you do the above, then we will generally have all the information
that we need to solve your problem.

>
> Below is my school network:
> internet ---> shorewall ----> loc ---> ciso router ---> loc1
>
> Below is my config files:
>
> zones:
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> fw firewall
> net ipv4
> loc1 ipv4
> loc ipv4
> vpn ipv4
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
>
> rules:
> ####################################################################
> # Accept connections from internet to the local network #
> ####################################################################
> HTTP/ACCEPT net loc:192.168.0.8
> HTTP/ACCEPT net loc:192.168.0.102
> HTTP/ACCEPT net loc:192.168.0.104
> HTTP/ACCEPT net loc:192.168.0.105
> HTTP/ACCEPT net loc:192.168.0.106
> #HTTP/ACCEPT net loc:192.168.0.108
> #SSL/ACCEPT net loc:192.168.0.108
> FTP/ACCEPT net loc:192.168.0.3
> FTP/ACCEPT net loc:192.168.0.8
> FTP/ACCEPT net loc:192.168.0.105
> FTP/ACCEPT net loc:192.168.0.106
> DNAT net loc:192.168.0.109 tcp 25 -
> 210.0.214.132
> abc/ACCEPT net loc:192.168.0.83
>
> VNC/ACCEPT net loc:192.168.0.105
>
> SSH/ACCEPT net:210.3.33.242-210.3.33.254 loc:192.168.0.102
> #############################################################
> # Allow connection from local network to firewall #
> #############################################################
> SSH/ACCEPT loc $FW
> Ping/ACCEPT loc $FW

So you are not accepting Ping from loc1->$FW? Can you 'clients' ping the
firewall if you add:

Ping/ACCEPT loc1 $FW

> #############################################################################
> # Allow connection from firewall to the internet and local network #
> #############################################################################
> Ping/ACCEPT $FW loc

Ditto here... If you add:

Ping/ACCEPT $FW loc1

Then can the firewall ping hosts in the loc1 zone?

> Ping/ACCEPT $FW net
> #DNS/ACCEPT $FW net
> #########################################################################
> # Reject Ping from the internet and prevent your log from being flooded.#
> #########################################################################
> Ping/DROP net $FW
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Your rules file doesn't mention the 'loc1' zone at all and your policies
forbid any access to that zone. So communication to/from 'loc1' is not
possible with Shorewall started. Do you really need the 'loc1' zone? See
http://www.shorewall.net/Multiple_Zones.html

>
> hosts:
> #ZONE HOST(S) OPTIONS
> loc1 eth0:10.0.15.0/24
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
>
> interface:
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth1 detect
> tcpflags,routefilter,nosmurfs,norfc1918
> loc eth0 detect tcpflags,detectnets,nosmurfs

The 'detectnets' option isn't appropriate when you have two zones
connected through the same interface.

> vpn tun0
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> masq:
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth1 detect
> tcpflags,routefilter,nosmurfs,norfc1918
> loc eth0 detect tcpflags,detectnets,nosmurfs
> vpn tun0
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>

That can't possibly be your /etc/shorewall/masq file -- it is an exact
copy of what you posted for /etc/shorewall/interfaces!

Please provide the information requested above and we will try to help.

-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep <at> shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

106	May 2013
126	April 2013
184	March 2013
90	February 2013
149	January 2013
83	December 2012
67	November 2012
186	October 2012
208	September 2012
154	August 2012
133	July 2012
152	June 2012
185	May 2012
158	April 2012
206	March 2012
121	February 2012
173	January 2012
79	December 2011
94	November 2011
142	October 2011
147	September 2011
175	August 2011
169	July 2011
204	June 2011
344	May 2011
172	April 2011
148	March 2011
96	February 2011
85	January 2011
99	December 2010
115	November 2010
138	October 2010
238	September 2010
197	August 2010
152	July 2010
145	June 2010
111	May 2010
101	April 2010
88	March 2010
228	February 2010
60	January 2010
204	December 2009
159	November 2009
167	October 2009
148	September 2009
153	August 2009
90	July 2009
239	June 2009
189	May 2009
194	April 2009
177	March 2009
158	February 2009
249	January 2009
227	December 2008
275	November 2008
203	October 2008
260	September 2008
118	August 2008
182	July 2008
179	June 2008
194	May 2008
221	April 2008
329	March 2008
248	February 2008
256	January 2008
257	December 2007
308	November 2007
306	October 2007
216	September 2007
383	August 2007
261	July 2007
246	June 2007
397	May 2007
444	April 2007
281	March 2007
189	February 2007
302	January 2007
224	December 2006
247	November 2006
279	October 2006
202	September 2006
376	August 2006
231	July 2006
271	June 2006
280	May 2006
398	April 2006
498	March 2006
466	February 2006
332	January 2006
263	December 2005
354	November 2005
393	October 2005
386	September 2005
473	August 2005
580	July 2005
340	June 2005
437	May 2005
465	April 2005
444	March 2005
469	February 2005
450	January 2005
665	December 2004
547	November 2004
454	October 2004
432	September 2004
403	August 2004
513	July 2004
418	June 2004
613	May 2004
582	April 2004
403	March 2004
400	February 2004
394	January 2004
243	December 2003
1	May 2003
2	June 2002
1	January 2002

Mon	Tue	Wed	Thu	Fri	Sat	Sun

	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31