[Shorewall-users] Shorewall not recognizing 'fw'?

FancyLad fancylad@myrealbox.com
Mon, 28 Jan 2002 20:30:17 -0500


Greetings,
	I was having problems with my Shorewall setup and I was 
wondering if it's because Shorewall is not properly identifying packets 
that are destined for the fw.  Long story short, my shorewall is my 
main linux box that I use for most of my day to day stuff (can't afford 
another box for dedicated firewall I'm afraid, so this is better than 
nothing).  I have a usb adsl modem that I have connected on ppp0.  My 
windows box (used for TFC and StarCraft <grin>) can't connect to my 
firewall (ssh, telnet, ftp, dns, etc...)  Likewise my firewall can't 
smbclient to my windows box because the return packets are being 
dropped in the all2all chain.  Below are some files:

./zones
net     Net             Internet loc     Local           Local networks
dmz     DMZ             Demilitarized zone


./policy
loc             all             ACCEPT
fw              all             ACCEPT
net             all             DROP            info
all             all             REJECT          info

./rules
ACCEPT          net       fw            tcp     ssh,auth

./interfaces
net     ppp0    detect  norfc1918,dhcp
loc     eth0    detect

./masq
ppp0    eth0

./tos
default

./hosts ./nat ./params ./proxyarp ./tcrules ./tunnels
all empty


When I try to do a dns request from my windows box to my shorewall 
machine (which is running a dns proxy) I get the following in:
Jan 28 20:17:49 rand kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= 
MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 DST=10.0.0.1 
LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24278 PROTO=UDP SPT=3864 DPT=53 
LEN=42 Jan 28 20:17:49 rand kernel: Shorewall:all2all:REJECT:IN=eth0 
OUT= MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 
DST=10.0.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24279 PROTO=UDP 
SPT=3864 DPT=53 LEN=42 Jan 28 20:17:49 rand kernel: 
Shorewall:all2all:REJECT:IN=eth0 OUT= 
MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 DST=10.0.0.1 
LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24280 PROTO=UDP SPT=3864 DPT=53 
LEN=42 Jan 28 20:17:49 rand kernel: Shorewall:all2all:REJECT:IN=eth0 
OUT= MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 
DST=10.0.0.1 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24281 PROTO=UDP 
SPT=3864 DPT=53 LEN=42 Jan 28 20:17:49 rand kernel: 
Shorewall:all2all:REJECT:IN=eth0 OUT= 
MAC=00:90:27:76:cf:25:00:80:c8:de:73:3c:08:00 SRC=10.0.0.2 DST=10.0.0.1 
LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=24282 PROTO=UDP SPT=3864 DPT=53 
LEN=42
/var/log/messages

It's apparent that it's being dropped because it's matching the all2all 
chain, but shouldn't it match the loc2fw chain?  10.0.0.2 is my win box 
and 10.0.0.1 is my shorewall box.

Thanks for any help on this, and I hope I didn't include too much of my 
config files (gotta strike that delicate balance between giving enough 
info for ppl to help, but at the same time you don't want to do 
something like include your entire sendmail.cf--although I've no idea 
why I'd want to send that one to this list <grin>)

Thanks everyone!