[Shorewall-users] Local2local?

Tom Eastep teastep@shorewall.net
Wed, 3 Apr 2002 14:26:06 -0800 (Pacific Standard Time)


On Thu, 4 Apr 2002, Andy.Geraerts@pi.be wrote:

> Hello All!
>
> My situation :
>
> Firewall : 3 nics, LOC, DMZ, NET
> LOC has ip 192.168.7.254
> In the LOC network there is a WAN router 192.168.7.253 wich connects to
> network 192.168.1.x
> The clients have the firewall as default gateway.
>
> I get these erros when I try to access a host in 192.168.1.x from
> 192.168.7.x :
>
> Apr  4 00:03:37 ANTHEROS kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth0
> SRC=192.168.7.2 DST=192.168.1.2 LEN=44 TOS=0x00 PRE
> C=0x00 TTL=127 ID=33004 DF PROTO=TCP SPT=1190 DPT=1352 WINDOW=8192
> RES=0x00 SYN URGP=0
>
> I have no idea where I can enable this? Why are these packets blocked?
>

The firewall is doing exactly what you are telling it to do -- see your
policies below. What happens to loc->loc connection requests? -- they fall
through to the all->all policy.

> Here are my configs :
>
> policy:
> #CLIENT         SERVER          POLICY          LOG LEVEL
> loc             fw              ACCEPT
> fw              loc             ACCEPT
> fw              net             ACCEPT
> loc             net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>

I personally would add

loc		loc		ACCEPT

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net