[Shorewall-users] Fowarding through networks

Marshal McInnis Marshal at tgpc.us
Mon Mar 21 09:51:55 PST 2005

Yes the routor is on and its also on and
its all routs ok I just want it to transfer trafic from the
ftp server to network 

-----Original Message-----
From: shorewall-users-bounces at lists.shorewall.net
[mailto:shorewall-users-bounces at lists.shorewall.net] On Behalf Of Tom
Sent: Friday, March 18, 2005 5:18 PM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Fowarding through networks

Marshal McInnis wrote:
> ACCEPT          fw              inet             tcp     53
> ACCEPT          fw              inet             udp     53
> ACCEPT          loc             inet             tcp     53
> ACCEPT          loc             inet             udp     53
> ACCEPT          loc             inet             all
> ACCEPT          inet            loc              all
> DNAT            inet            loc:    tcp     443
> DNAT            inet            loc:    tcp     80
> DNAT            inet            loc:    tcp     21
> DNAT            inet            loc:    tcp     25,110
> DNAT            inet            loc:    tcp     123
> DNAT            inet            loc:    tcp     1723
> DNAT            inet            loc:    tcp     3389
> DNAT            inet            loc:    tcp     4125
> DNAT            inet            loc:    tcp     1723
> DNAT            inet            loc:    47      -

Shorewall has 29 configuration files. Typical users modify at least 4 of

> eth0                inet addr:  Bcast:
> Mask:
> eth1                inet addr:  Bcast:
> Mask:
> eth2                inet addr:  Bcast:
> Mask:

The above is interesting but incomplete.

Is your firewall the default gateway for both the and networks? If not, then this goes back the the same question
that I asked you to start with: *What do the routing tables look like on
the hosts in the two networks? In other words, do these hosts know how
to route traffic to the other network?*

Marshal, a router cannot route packets that are never sent to it. And a
firewall can never allow connections that it is never asked to rule on.
 So things must be configured so that traffic between the two networks
goes through your Shorewall router/firewall -- *it doesn't happen by

Masquerade/SNAT and DNAT rules can make up for lack of proper routing
but WE NEED TO KNOW if your routing is adequate before we can advise

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

More information about the Shorewall-users mailing list