[Shorewall-users] Policy Rules not working as expected

nowak@ebi-service.de nowak@ebi-service.de
Thu, 25 Apr 2002 10:29:23 +0200


Hi, I have a linux router with 2 nics eth0 and eth1. eth0 is connected to the 
internet and behind eth1 are several subnets.

My hosts files looks like this:

#ZONE           HOST(S)         OPTIONS
dinslaken       eth0:10.95.0.0/16       routestopped
moers           eth0:10.96.0.0/16       routestopped
dortmund        eth0:10.97.0.0/16       routestopped
pdv             eth0:192.168.100.0/24   routestopped
token           eth0:149.202.30.0/16    routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

My interface file:

#ZONE    INTERFACE      BROADCAST       OPTIONS
net             eth1    detect          routestopped,noping
-       eth0    detect          multi
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

And my policy file looks like this:

net             all             DROP            info
all             all             REJECT          info
dinslaken       all             DROP            info
moers           net             DROP
dortmund        net             DROP
pdv             net             DROP
token           net             DROP
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

The strange thing is that when I start shorewall this message is generated:

Processing /etc/shorewall/policy...
   Policy REJECT for fw to net.
   Policy DROP for net to fw.
   Policy DROP for net to dinslaken.
   Policy REJECT for dinslaken to fw.
   Policy REJECT for dinslaken to net.
   Policy REJECT for moers to net.
   Policy REJECT for dortmund to net.
   Policy REJECT for pdv to net.
   Policy REJECT for token to net.

Why is the Policy REJECT ??? and why is it logged ?

Apr 25 10:09:25 intra kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=eth1 
SRC=10.95.30.20 DST=207.46.226.34 LEN=76 TOS=0x00 PREC=0x00 TTL=126 ID=11 
PROTO=UDP SPT=123 DPT=123 LEN=56

Any help would be nice.

Thanks Bernd




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/