[Shorewall-newbies] Initial Configuration Errors

Gil Price gprice at gilprice.com
Sun Jan 4 17:55:31 PST 2004


Good Evening,

I have used shorewall successfully in the past, but this is a new server 
and my memory of old configurations has escaped me.

I've configured Shorewall on a standalone Redhat 9 server running web, 
pop, smtp and webmin services. The server is behind a Netgear router on 
a cable modem broadband connection. I am port forwarding 80, 25, 110, 
8000, and 8080 to my Linux web/e-mail server.

I have copied the one netcard configuration files I downloaded from the 
shorewall website into the /etc/shorewall directory, I have only 
modified the rules file.

I have configured the Shorewall rules file with the following:

##############################################################################
#ACTION        SOURCE    DEST    PROTO    DEST    SOURCE    ORIGINAL    
RATE    USER                   
#                    PORT    PORT(S)    DEST        LIMIT    SET
ACCEPT        net    fw    icmp    8
ACCEPT        net    fw    tcp    80    -
ACCEPT        net    fw    tcp    110
ACCEPT        net    fw    tcp    25
ACCEPT        net    fw    tcp    10000
ACCEPT        net    fw    tcp    8000
ACCEPT        net    fw    tcp    8080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The problem is when I start shorewall, nothing gets returned from the box, here is a sample of a port 80 and port 25 request from the log file:

Jan  4 15:02:58 ramirez kernel: Shorewall:logdrop:DROP:IN=eth0 OUT= MAC=00:c0:9f:20:f0:30:00:09:5b:51:11:90:08:00 SRC=66.133.198.228 DST=192.168.168.5 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=17431 PROTO=TCP SPT=1674 DPT=25 WINDOW=64240 RES=0x00 SYN URGP=0
 
Jan  4 15:02:58 ramirez kernel: Shorewall:logdrop:DROP:IN=eth0 OUT= MAC=00:c0:9f:20:f0:30:00:09:5b:51:11:90:08:00 SRC=24.168.206.40 DST=192.168.168.5 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18178 PROTO=TCP SPT=1970 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 

Do I need to configure outbound rules? I thought from my reading, anything outbound from the server would be allowed by default? If I need the outbound, would it look like this:

ACCEPT        fw    net    tcp    80    -

ACCEPT        fw    net    tcp    110

ACCEPT        fw    net    tcp    25

ACCEPT        fw    net    tcp    10000

ACCEPT        fw    net    tcp    8000

ACCEPT        fw    net    tcp    8080

So in effect needing 2 rules for each port? One in and one out?

Thanks for any help, currently not running shorewall until I can get this little issue fixed.

-- 
Gil Price
Lexington, SC
http://www.gilprice.com

"Excellence is the result of caring more than others think is wise; risking more than others think is safe; dreaming more than others think is practical; and expecting more than others think is possible."



More information about the Shorewall-newbies mailing list