[Shorewall-users] No netwok printer

martyn martyn@chetnet.co.uk
Fri, 12 Apr 2002 22:34:17 +0100


This is a multi-part message in MIME format.

------=_NextPart_000_000A_01C1E272.2E8B1320
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_000B_01C1E272.2E8B1320"


------=_NextPart_001_000B_01C1E272.2E8B1320
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi all

As a complete novice with Linux im experiencing a few problems with =
shorewall.
I can not gain access to my server shared directory's or printer on my =
server.
I have been experimenting with the firewall but unable to sort it, my =
configs are attached,

Also I have the below as well, is it anything to worry about ?
They have been connected for days, if I kill the pid's they just =
reappear, if you look at my blacklist file I have tried to stop them =
without success


tcp        0      0 chetnet.co.uk:http      adsl-66-120-84-17:30188 =
SYN_RECV   =20
tcp        0      0 chetnet.co.uk:http      adsl-66-120-84-17:22604 =
SYN_RECV   =20
tcp        0      0 chetnet.co.uk:http      207.51.255.221:11303    =
SYN_RECV   =20
tcp        0      0 chetnet.co.uk:http      adsl-66-120-84-17:55077 =
SYN_RECV=20

Sorry its so drawn out

thanks in advance

Chet  =20

------=_NextPart_001_000B_01C1E272.2E8B1320
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi all</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>As a complete novice with Linux im =
experiencing a=20
few problems with shorewall.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I can not gain access to my server =
shared=20
directory's or printer on my server.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I have been experimenting with the =
firewall but=20
unable to sort it, my configs are attached,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Also I have the below as well, is it =
anything to=20
worry about ?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>They have been connected for days, if I =
kill the=20
pid's they just reappear, if you look at my blacklist file I have tried =
to stop=20
them without success</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial =
size=3D2>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0=20
chetnet.co.uk:http&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; adsl-66-120-84-17:30188 =

SYN_RECV&nbsp;&nbsp;&nbsp; =
<BR>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0=20
chetnet.co.uk:http&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; adsl-66-120-84-17:22604 =

SYN_RECV&nbsp;&nbsp;&nbsp; =
<BR>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0=20
chetnet.co.uk:http&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
207.51.255.221:11303&nbsp;&nbsp;&nbsp; SYN_RECV&nbsp;&nbsp;&nbsp;=20
<BR>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0=20
chetnet.co.uk:http&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; adsl-66-120-84-17:55077 =

SYN_RECV&nbsp;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Sorry its so drawn out</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thanks in advance</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Chet&nbsp;&nbsp; =
</FONT></DIV></BODY></HTML>

------=_NextPart_001_000B_01C1E272.2E8B1320--

------=_NextPart_000_000A_01C1E272.2E8B1320
Content-Type: application/octet-stream;
	name="zones"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="zones"

#=0A=
# Shorewall 1.2 /etc/shorewall/zones=0A=
#=0A=
# This file determines your network zones. Columns are:=0A=
#=0A=
#	ZONE		Short name of the zone=0A=
#	DISPLAY		Display name of the zone=0A=
#	COMMENTS	Comments about the zone=0A=
#=0A=
#ZONE	DISPLAY		COMMENTS=0A=
bl	Blacklist	List of black-listed hosts and nets=0A=
net	Net		Internet =0A=
loc	Local		Local networks=0A=
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE=0A=

------=_NextPart_000_000A_01C1E272.2E8B1320
Content-Type: application/octet-stream;
	name="hosts"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="hosts"

#=0A=
# Shorewall 1.2 - /etc/shorewall/hosts=0A=
#=0A=
#	ZONE	- The name of a zone defined in /etc/shorewall/zones=0A=
#=0A=
#	HOST(S)	- The name of an interface followed by a colon (":") and=0A=
#		  either:=0A=
#=0A=
#			a) The IP address of a host=0A=
#			b) A subnetwork in the form=0A=
#			   <subnet-address>/<mask width>=0A=
#		  =0A=
#		  Examples:=0A=
#=0A=
#			eth1:192.168.1.3=0A=
#			eth2:192.168.2.0/24	=0A=
#=0A=
#	OPTIONS - A comma-separated list of options. Currently-defined=0A=
#		  options are:=0A=
#=0A=
#			routestopped - route messages to and from this=0A=
#				       member when the firewall is in the=0A=
#				       stopped state=0A=
#=0A=
#=0A=
#ZONE		HOST(S)		OPTIONS=0A=
bl	eth0:213.107.50.52=0A=
loc	eth1:192.168.0.0/24=0A=
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE=0A=

------=_NextPart_000_000A_01C1E272.2E8B1320
Content-Type: application/octet-stream;
	name="interfaces"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="interfaces"

#=0A=
# Shorewall 1.2 -- Interfaces File=0A=
#=0A=
# /etc/shorewall/interfaces=0A=
#=0A=
# Columns are:=0A=
#=0A=
#	ZONE		Zone for this interface. Much match the short name=0A=
#			of a zone defined in /etc/shorewall/zones.=0A=
#=0A=
#			If the interface serves multiple zones that will be=0A=
#			defined in the /etc/shorewall/hosts file, you may=0A=
#			place "-" in this column.=0A=
#	=0A=
#	INTERFACE	Name of interface=0A=
#=0A=
#	BROADCAST	The broadcast address for the subnetwork to which the=0A=
#			interface belongs. For P-T-P interfaces, this=0A=
#			column is left black.=0A=
#					    =0A=
#			If you use the special value "detect", the firewall=0A=
#			will detect the broadcast address for you. If you=0A=
#			select this option, the interface must be up before=0A=
#			the firewall is started and you must have iproute=0A=
#			installed.=0A=
#			=0A=
#			If you don't want to give a value for this column but=0A=
#			you want to enter a value in the OPTIONS column, enter=0A=
#			"-" in this column.=0A=
#=0A=
#	OPTIONS		A comma-separated list of options including the=0A=
#			following:=0A=
#=0A=
#			dhcp	     - interface is managed by DHCP or used by=0A=
#                                      a DHCP server running on the =
firewall.=0A=
#			noping	     - icmp echo-request (ping) packets should=0A=
#				       be ignored on this interface=0A=
#			routestopped - When the firewall is stopped, allow=0A=
#				       and route traffic to and from this=0A=
#				       interface.=0A=
#			norfc1918    - This interface should not receive=0A=
#				       any packets whose source is in one=0A=
#				       of the ranges reserved by RFC 1918=0A=
#				       (i.e., private or "non-routable"=0A=
#				       addresses. If packet mangling is=0A=
#				       enabled in shorewall.conf, packets=0A=
#				       whose destination addresses are=0A=
#				       reserved by RFC 1918 are also rejected.=0A=
#			multi	     - This interface has multiple IP=0A=
#				       addresses and you want to be able to=0A=
#				       route between them.=0A=
#			routefilter  - turn on kernel route filtering for this=0A=
#				       interface.=0A=
#			dropunclean  - Logs and drops mangled/invalid packets=0A=
#=0A=
#			logunclean   - Logs mangled/invalid packets but does=0A=
#				       not drop them.=0A=
#	.	.	blacklist    - Check packets arriving on this interface=0A=
#				       against the /etc/shorewall/blacklist=0A=
#				       file.=0A=
#=0A=
#	Example 1:	Suppose you have eth0 connected to a DSL modem and=0A=
#			eth1 connected to your local network and that your=0A=
#			local subnet is 192.168.1.0/24. The interface gets=0A=
#			it's IP address via DHCP from subnet=0A=
#			206.191.149.192/27 and you want pings from the internet=0A=
#			to be ignored. You interface a DMZ with subnet=0A=
#			192.168.2.0/24 using eth2. You want to be able to=0A=
#			access the firewall from the local network when the=0A=
#			firewall is stopped.=0A=
#=0A=
#			Your entries for this setup would look like:=0A=
#=0A=
#			net	eth0	206.191.149.223	noping,dhcp=0A=
#			local	eth1	192.168.1.255	routestopped=0A=
#			dmz	eth2	192.168.2.255=0A=
#=0A=
#	Example 2:	The same configuration without specifying broadcast=0A=
#			addresses is:=0A=
#=0A=
#			net	eth0	detect		noping,dhcp=0A=
#			loc	eth1	detect		routestopped=0A=
#			dmz	eth2	detect=0A=
#=0A=
#	Example 3:	You have a simple dial-in system with no ethernet=0A=
#			connections and you want to ignore ping requests.=0A=
#=0A=
#			net	ppp0	-		noping=0A=
#########################################################################=
#####=0A=
#ZONE	 INTERFACE	BROADCAST	OPTIONS=0A=
bl	 eth0=0A=
net	 eth0		detect		noping,dhcp=0A=
loc	 eth1		detect=0A=
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE=0A=

------=_NextPart_000_000A_01C1E272.2E8B1320
Content-Type: application/octet-stream;
	name="policy"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="policy"

#=0A=
# Shorewall 1.2 -- Policy File=0A=
#=0A=
# /etc/shorewall/policy=0A=
#=0A=
#	This file determines what to do with a new connection request if we=0A=
#	don't get a match from the /etc/shorewall/rules file. For each=0A=
#	client/server pair, the file is processed in order until a match is=0A=
#	found ("all" will match any client or server).=0A=
#=0A=
# Columns are:=0A=
#=0A=
#	CLIENT		Location of client. Must be the name of a zone defined=0A=
#			in /etc/shorewall/zones, $FW or "all".=0A=
#=0A=
#	SERVER		Location of server. Must be the name of a zone defined=0A=
#			in /etc/shorewall/zones, $FW or "all"=0A=
#=0A=
#	POLICY		Policy if no match from the rules file is found. Must=0A=
#			be "ACCEPT", "DENY", "REJECT" or "CONTINUE"=0A=
#=0A=
#	LOG LEVEL	If supplied, each connection handled under the default=0A=
#			POLICY is logged at that level. If not supplied, no=0A=
#			log message is generated. See syslog.conf(5) for a=0A=
#			description of log levels.=0A=
#=0A=
#			If you don't want to log but need to specify the=0A=
#			following column, place "_" here.=0A=
#=0A=
#	As shipped, the default policies are:=0A=
#=0A=
#	a) All connections from the local network to the internet are allowed=0A=
#	b) All connections from the network are ignored but logged at syslog=0A=
#	   level KERNEL.INFO.=0A=
#	d) All other connection requests are rejected and logged at level=0A=
#	   KERNEL.INFO.=0A=
#########################################################################=
######=0A=
#CLIENT		SERVER		POLICY		LOG LEVEL=0A=
bl		all		DROP		=0A=
loc		net		ACCEPT=0A=
net		all		DROP		info=0A=
all		all		REJECT		info=0A=
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE=0A=

------=_NextPart_000_000A_01C1E272.2E8B1320
Content-Type: application/octet-stream;
	name="rules"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="rules"

#=0A=
# Shorewall version 1.2 - Rules File=0A=
#=0A=
# /etc/shorewall/rules =0A=
#=0A=
#=0A=
#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	 CLIENT PORT(S) ADDRESS=0A=
#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,http -	        all=0A=
#=0A=
#	Example: Redirect all locally-originating www connection requests to=0A=
#		 port 8080 on the firewall (Squid running on the firewall=0A=
#		 system)except when the destination address is 192.168.2.2=0A=
#=0A=
#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS=0A=
#	ACCEPT	loc	$FW::8080  tcp	www	 -		!192.168.2.2=0A=
#########################################################################=
#####=0A=
#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS=0A=
#=0A=
#DNS STUFF=0A=
ACCEPT		fw	  net		tcp	443=0A=
ACCEPT		fw	  net		udp	443=0A=
ACCEPT		fw	  net		tcp	25=0A=
ACCEPT		fw	  net		tcp	domain=0A=
ACCEPT		fw	  loc		tcp	domain=0A=
ACCEPT		fw	  net		udp	domain=0A=
ACCEPT		fw	  loc		udp	domain=0A=
ACCEPT		fw	  loc		udp	-		domain=0A=
ACCEPT		net	  fw		udp	-		domain=0A=
ACCEPT		loc	  fw		tcp	-		113=0A=
ACCEPT		net	  fw		tcp	-		443=0A=
#=0A=
#=0A=
# Allow from the local network=0A=
ACCEPT		loc	  $FW		tcp	ssh,113=0A=
ACCEPT		$FW	  loc		tcp	113=0A=
ACCEPT		loc	  $FW		tcp	80=0A=
ACCEPT		loc	  $FW		tcp	110=0A=
ACCEPT		loc	  $FW		tcp	25=0A=
ACCEPT		loc	  $FW		udp	25=0A=
ACCEPT		loc	  $FW		tcp	10000=0A=
#ACCEPT		loc	  $FW		tcp	23=0A=
ACCEPT		loc	  $FW		tcp	135,137:139,445=0A=
ACCEPT		loc	  $FW		udp	137:139=0A=
#=0A=
#=0A=
#=0A=
# Allow from the internet=0A=
ACCEPT		net	  $FW		tcp	ssh,auth,113=0A=
ACCEPT		net	  $FW		tcp	80=0A=
ACCEPT		$FW	  loc		tcp	113=0A=
ACCEPT		net	  $FW		tcp	10000=0A=
ACCEPT		net	  $FW		tcp	110=0A=
ACCEPT		net	  $FW		tcp	25=0A=
ACCEPT		net	  $FW		udp	25=0A=
#ACCEPT		net	  $FW		tcp	23=0A=
#ACCEPT		$FW	  net		udp	ntp=0A=
ACCEPT		net	  $FW		tcp	113=0A=
#=0A=
#=0A=
#=0A=
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE=0A=

------=_NextPart_000_000A_01C1E272.2E8B1320
Content-Type: application/octet-stream;
	name="blacklist"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="blacklist"

#=0A=
# Shorewall 1.2 -- Blacklist File=0A=
#=0A=
# /etc/shorewall/blacklist=0A=
#=0A=
# This file contains a list of IP addresses, MAC addresses and/or =
subnetworks.=0A=
# When a packet arrives on in interface that has the 'blacklist' option=0A=
# specified, it is checked against this file and disposed of according to=0A=
# the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in=0A=
# /etc/shorewall/shorewall.conf=0A=
#=0A=
# MAC addresses must be prefixed with "~" and use "-" as a separator.=0A=
#=0A=
# Example: ~00-A0-C9-15-39-78=0A=
#########################################################################=
######=0A=
#ADDRESS/SUBNET=0A=
66.120.84.0/24=0A=
66.120.84.17=0A=
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE=0A=
=0A=
=0A=

------=_NextPart_000_000A_01C1E272.2E8B1320--