**SUPPORT** Personal Firewall with Shorewall Tutorial

[supernick_84]

I'm having trouble connecting to an FTP server with my laptop. I've installed shorewall on my desctop computer according to your HOWTO (which is very nice!) and it works fine there.

Could it be that the problem is that I have 2 interfaces?

Anyway, this is the error i get :

Code: Select all

ftp users.pandora.be
Connected to users.pandora.be.
220 Telenet-ops FTP Server
Name (users.pandora.be:nick): xxxxxx
500 AUTH not understood
SSL not available
331 Password required for xxxxxx
Password:
230 User xxxxxx logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
425 Unable to build data connection: Connection timed out

Here's my /etc/shorewall/rules

Code: Select all

ACCEPT   fw             net             tcp     80   #http
ACCEPT   fw             net             udp     80   #http
ACCEPT   fw             net             tcp     443  #https
ACCEPT   fw             net             udp     443  #https
ACCEPT   fw             net             tcp     21,20   #ftp
ACCEPT   fw             net             tcp     53   #DNS
ACCEPT   fw             net             udp     53   #DNS
ACCEPT   fw             net             tcp     110  #unsecure Pop3
ACCEPT   fw             net             tcp     995  #Secure Pop3
ACCEPT   fw             net             tcp     873  #rsync
ACCEPT   fw             net             tcp     25   #unsecure SMTP
ACCEPT   fw             net             tcp     465  #SMTP over SSL
ACCEPT   fw             net             tcp     6667 #IRC
ACCEPT   fw             net             tcp     1863 #GAIM

here's the /etc/shorewall/interfaces

Code: Select all

#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY
#
net     eth0            detect          dhcp,nosmurfs
net     wlan0           detect          dhcp,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

the policy says

Code: Select all

###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

and the zones

Code: Select all

#ZONE                   DISPLAY         COMMENTS
net                     internet        the big and bad internet

Does anyone have an idea why I can't connect to FTP servers? (Using gFTP or the ftp command)
Thanks in advance!

[nagual]

After following the tutorial, I get this

Code: Select all

gentoo ~ # shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Not available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
   Raw Table: Available
   CLASSIFY Target: Available
Determining Zones...
   ERROR: No ipv4 or ipsec Zones Defined
Terminated

Any suggestions?

[nagual]

Should I just add in the REDIRECT? I am only trying to open port 80 on that box, since it just sits there and folds.

[supernick_84]

did you define a zone in /etc/shorewall/zones ?

[nagual]

I'm pretty sure I did. I will post my configs when I get home.

[davmonster]

After following this personal internet firewall HOWTO I struggled for a bit trying to get bittorrent to work.

This is how I got it working:

/etc/shorewall/policy:

Code: Select all

###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net            ACCEPT
net             all             DROP            info
all              all             REJECT          info
#LAST LINE -- DO NOT REMOVE

I realise this is a security risk in that it allows outbound connections, but it seems that the standard bittorrent client connects to unpredicatable high-level ports on the other bt clients, and so this cannot be helped.

You'll also have to put this in your /etc/shorewall/rules file:

Code: Select all

..
BitTorrent/ACCEPT       net     fw
..

This is a macro to accept connections on tcp ports 6881:6889 which is also needed for a bit-torrent client. Please let me know if you find a way of running BT without letting all outbound connections through.

- Dav

[pressenter]

I have such a problem with my shorewall:

Code: Select all

 * Starting firewall ...
   ERROR: No ipv4 or ipsec Zones Defined
/etc/init.d/shorewall: line 14: 24479 Zakoñczony              /sbin/shorewall start >/dev/nu  [ !! ]

What to do ??

[patroy]

If you are using shorewall 3.x a few things have changed since the "tutorial" was written.
I'm still trying to figure them all out.
though that error was the fixed by adding the following to /etc/shorewall/zones

Code: Select all

net     ipv4

I just inserted that after the

Code: Select all

fw      firewall

hope that helps.

[to_kallon]

hello everyone.
sith great guide, thanks mate.
i've run into a problem, i've seen a few people post about it but nothing i've tried has worked. i hit a few of the upgrade problems everyone has mentioned, but once shorewall got started everything seemed ok, i could ssh in and out just like i wanted to. but it turned out that was the only thing i could do. i cannot ping servers/view webpages, which may be the central problem, i also cannot emerge anything. i get this error:

Code: Select all

Resolving gentoo.chem.wisc.edu... failed: Temporary failure in name resolution.

here is my /etc/shorewall/rules file:

Code: Select all

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
ACCEPT  fw              net             tcp     80      #http-out
ACCEPT  fw              net             udp     80
ACCEPT  fw              net             tcp     443     #https-out
ACCEPT  fw              net             udp     443
ACCEPT  net             fw              tcp     80      #http-in
ACCEPT  net             fw              udp     80
#
ACCEPT  fw              net             tcp     22      #ssh-out
ACCEPT  net             fw              tcp     22      #ssh-in
#
ACCEPT  net             fw              udp     8767    #teamspeak
ACCEPT  net             fw              tcp     14534   #ts webadmin
#
ACCEPT  fw              net             tcp     873     #rsync-out
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

since i'm able to ssh my assumption is i've made an error here somewhere. strangely it is allowing 8767 through to my teamspeak server. at this point i've not tried to hit a served web page so i can't speak to in-bound http working.
does anything jump out as being wrong? thanks in advance.

[patroy]

I 've just recently set-up and configured my firewall via shorewall. I had numerous problems and figured them all out by going to the shorewall website and reading through almost all of their docs. I was having a problem with connecting to the net untill I changed my policy to

Code: Select all

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
net             all             DROP            info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

This essentially allows all connections from my firewall to the net to exist, and drops all incoming connections not setup in rules.
My rules are simply.

Code: Select all

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DROP     net            fw              tcp     113     #AUTH/IDENT
ACCEPT   net            fw              tcp     ****    #Secure Shell
ACCEPT   net            fw              tcp     13269   #Gtk-Gnutella
ACCEPT   net            fw              udp     13269   #Gtk-Gnutella
ACCEPT   net            fw              tcp     1863    #Gaim
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I remember reading something about how if you are upgrading from a 2.X shorewall to the 3.X you need to decide if you are going to use the ipsec or zones info, my zones are

Code: Select all

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

I've tested it all and everything is running smoothly.
Hope this helps.

[to_kallon]

that seems to have done the trick. thanks!

[arabis]

With my notebook, I want to be able to use a dialup connection with Shorewall. So far I succeeded, but recently after some update, when I start my laptop with no ethernet cable plugged in, I get:

Code: Select all

* WARNING:  shorewall is scheduled to start when net.eth0 has started.

When the dial-up connection is established, and if I try to start manually Shorewall, it gives the same answer and refuses to start and I get an unsecured ppp connection.
What can I do to correct this situation?

[iusebash]

I am on the first part, and I am already stuck.

From tut:

# For 2.6 kernels look under:

Device Drivers --->
Networking support --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
<*> Connection tracking (required for masq/NAT)
<*> IP Tables Support (required for filtering/masq/NAT)
# Include (<*> not <M>) all options and sub options under IP

My IP: Netfilter Configuration:

Code: Select all

  lqqqqqqqqqqqqqqqqqqqqqqq IP: Netfilter Configuration qqqqqqqqqqqqqqqqqqqqqqqqk

  x x <*> Connection tracking (required for masq/NAT)                        x x  
  x x [ ]   Connection tracking flow accounting                              x x  
  x x [ ]   Connection mark tracking support                                 x x  
  x x [ ]   Connection tracking events (EXPERIMENTAL)                        x x  
  x x < >   SCTP protocol connection tracking support (EXPERIMENTAL)         x x  
  x x < >   FTP protocol support                                             x x  
  x x < >   IRC protocol support                                             x x  
  x x < >   NetBIOS name service protocol support (EXPERIMENTAL)             x x  
  x x < >   TFTP protocol support                                            x x  
  x x < >   Amanda backup protocol support                                   x x  
  x x < >   PPTP protocol support                                            x x  
  x x <*> IP Userspace queueing via NETLINK (OBSOLETE)

There is no 'IP Tables Support (required for filtering/masq/NAT)'!

I did a search:

Code: Select all

  lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Search Results qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
  x Symbol: IP_NF_TARGET_MASQUERADE [=n]                                       x  
  x Prompt: MASQUERADE target support                                          x  
  x   Defined at net/ipv4/netfilter/Kconfig:407                                x  
  x   Depends on: NET && INET && NETFILTER && IP_NF_NAT                        x  
  x   Location:                                                                x  
  x     -> Networking                                                          x  
  x       -> Networking support (NET [=y])                                     x  
  x         -> Networking options                                              x  
  x           -> Network packet filtering (replaces ipchains) (NETFILTER [=y]) x  
  x             -> IP: Netfilter Configuration                                 x  
  x               -> IP tables support (required for filtering/masq/NAT) (IP_N x  
  x                 -> Full NAT (IP_NF_NAT [=n])     

It says there is 'IP tables support' under IP: Netfilter Configuration. As as you see from the first code, it isn't on the list. WTF?

[NotQuiteSane]

I'm trying to follow the guide, but am stuck on section 2. Since the kernel outline has changed since the guide was written, I'm a bit confused.

Here is what I have under "Networking"

Code: Select all

#
# Networking
#
CONFIG_NET=y

#
# Networking options
#
# CONFIG_NETDEBUG is not set
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_DRR=m
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_TUNNEL is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_TCP_CONG_ADVANCED=y
#
# TCP congestion control
#
CONFIG_TCP_CONG_BIC=y
CONFIG_TCP_CONG_CUBIC=m
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
# CONFIG_TCP_CONG_HSTCP is not set
# CONFIG_TCP_CONG_HYBLA is not set
# CONFIG_TCP_CONG_VEGAS is not set
# CONFIG_TCP_CONG_SCALABLE is not set

#
# IP: Virtual Server Configuration
#
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y

#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
# CONFIG_IP_NF_NETBIOS_NS is not set
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_PPTP=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_HASHLIMIT=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_PPTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_TTL=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y

#
# DCCP Configuration (EXPERIMENTAL)
#
# CONFIG_IP_DCCP is not set

#
# SCTP Configuration (EXPERIMENTAL)
#
# CONFIG_IP_SCTP is not set

#
# TIPC Configuration (EXPERIMENTAL)
#
# CONFIG_TIPC is not set
CONFIG_ATM=m
# CONFIG_ATM_CLIP is not set
# CONFIG_ATM_LANE is not set
# CONFIG_ATM_BR2684 is not set
# CONFIG_BRIDGE is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_DECNET is not set
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_NET_DIVERT is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set

#
# QoS and/or fair queueing
#
# CONFIG_NET_SCHED is not set
CONFIG_NET_CLS_ROUTE=y

#
# Network testing
#
# CONFIG_NET_PKTGEN is not set
# CONFIG_HAMRADIO is not set
# CONFIG_IRDA is not set
# CONFIG_BT is not set
# CONFIG_IEEE80211 is not set

Are the options correctly set (and I can go ahead and compile), or are changes needed (and if so, where)?

I've left kernel items marked "EXPERIMENTAL" unselected.

IF it matters for kernel setup, I'm building a 4 legged firewall/router: Red (internet), Green (filtered to linux boxes) Orange (unfiltered (DMZ) to windows boxes*) and Black to print server (accessable by Green and Orange only)

NQS

* Doze boxes belong to roommate and he has explicitly stated he wants no firewall of any kind.

[NotQuiteSane]

Found a gotcha. don't think it's been reported.

on my firewall, I have use flag "minimal" set. this needs to be deactivated for iproute2. putting it in package.use worked.

NQS

[Netfeed]

im getting this error when im trying to start shorewall

Code: Select all

root@nakor[~]: /etc/init.d/shorewall start
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...
iptables: Unknown error 4294967295
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
/etc/init.d/shorewall: line 14: 19546 Terminated              /sbin/shorewall -f start >/dev/null    

anyone that has an idea how to fix it?

[Beefrum]

[post=3465341] Re to netfeed:[/post]
Current iptables options in kernel-configuration are probably missing some abilities.

[Netfeed]

[post=3465341] Re to netfeed:[/post]
Current iptables options in kernel-configuration are probably missing some abilities.

yeap, works like a charm now

ty

[happyduck]

I apologize for revisiting a topic that's been hit on before, but I just can't seem to get this to work.

Whenever I try /etc/init.d/shorewall start, I get

Code: Select all

/etc/init.d/shorewall start
 * Starting firewall ...
FATAL: Module ip_tables not found.
iptables v1.3.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
   ERROR: Command "/sbin/iptables -P INPUT DROP" Failed
FATAL: Module ip6_tables not found.
ip6tables v1.3.4: can't initialize ip6tables table `filter': Module is wrong version
Perhaps ip6tables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.3.4: can't initialize ip6tables table `filter': Module is wrong version
Perhaps ip6tables or your kernel needs to be upgraded.
... The error repeats a lot in here, and then ...
iptables v1.3.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/etc/init.d/shorewall: line 14: 26201 Terminated              /sbin/shorewall start >/dev/null

(This is my first post so please bare with me.)

I also had the problem with ip6_tables with my 2.6.10-r6 kernel. As far as I remember I did the following to solve it, after having followed sith_happens guide to the letter:
1. Entirely removed ipv6 support from the kernel.
2. Told Shorewall *not* to ignore ipv6 support in the kernel.
3. Rebooted.

In more detail:
1. Remove ipv6 stuff from the kernel:

Code: Select all

Device drivers --->
  Networking support --->
    [ ] The IPv6 protocol (EXPERIMENTAL)

Exit and save the configuration.

I'm using genkernel. I've checked to make sure that all the options under IP Tables Support were checked (compiled into the kernel, not as modules), and I've even checked everything under IP: Netfilter Configuration submenu just for good measure. Am I just missing an option somewhere? I'm kind of noobish for this, so it could be an incredibly simple mistake.

I do not use genkernel, but the steps in the Gentoo Handbook (x86), chapter 7 if I am not mistaken, should carry you through if you do. (Remember to point your boot loader to the new kernel.)

Now, step 2: In /etc/shorewall/shorewall.conf, set

Code: Select all

DISABLE_IPV6=No

This tells Shorewall that it should *not* ignore ipv6 support in the kernel. Since there is no longer support in the kernel Shorewall should not expect support, and thus not try to ignore it. Actually, I do not remember if this step is necessary, but that's the way my config file looks currently, and it works.

Step 3:
Reboot and see whether "firewall" has stopped complaining about ip6_tables.

I hope this sketched solution helps.

[Alchera]

For any one needing a graphical guide to setting up their kernel for Shorewall: Kernel Configuration

More information: Ports Required for Various Services/Applications
Logging: Configuring a Separate Log for Shorewall Messages (ulogd)

NB: The above configuration works to keep Shorewall information out of /var/log/messages. My policy is below.

###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT $LOG
net all DROP $LOG
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT $LOG
#LAST LINE -- DO NOT REMOVE

shorewall (of course) has to be stopped, cleared and then fired up again.

[nabla²]

Which ports do I have to open for printer which uses a print server. I configured cups with

Code: Select all

URI: lpd://192.168.0.100/binary_p1

and included

Code: Select all

ACCEPT   fw             net             tcp     631 #CUPS
ACCEPT   net             fw             tcp     631 #CUPS

in the rules file. It does not work when printing in kde.

thx

[Karim]

Hi!

I tried to follow the tutorial with the latest kernel 2.6.19, but the network configuration har really changed a lot.
Is there an uptodate genkernel configuration guide anywhere?
Anyone has a useful pointer?

Thanks!
/Karim

[manouchk]

I was using firestarter for simplicity and because it can be use to dynamically accept connection but as it ends up behing unsecure, I had to switch, I tried kmyfirewall which was not very good for me (standart desktop configuration was not allowing traffic over loopback and kmyfirewall has almost no documentation etc...)
Well i ended up trying shorewall and well the documentation is good! ! (3 minutes to setup a standalone shorewall, loved that!)

I have some comment, I hope it is okay to post here?

I had 1 problem, I missed one thing from the first post of http://forums.gentoo.org/viewtopic-t-308153.html (Prompt and Powerful Personal Firewalling with Shorewall). I had to had one line in /etc/shorewall/zones
net ipv4

I mean with that instead of 3mn, it could have been 2mn30...

I also liked to use the "new" syntax of /etc/shorewall/rules :

Code: Select all

 DNS/ACCEPT   fw         net 
 FTP/ACCEPT   fw         net 
 POP3/ACCEPT  fw         net 
 POP3S/ACCEPT fw         net 
 IMAP/ACCEPT  fw         net 
 IMAPS/ACCEPT fw         net 
 SMTP/ACCEPT  fw         net 
 SMTPS/ACCEPT fw         net 
 Trcrt/ACCEPT fw         net #traceroute 
 Rsync/ACCEPT fw         net 
 HTTP/ACCEPT  fw         net 
 HTTPS/ACCEPT fw         net 
 SSH/ACCEPT   fw         net 
 BitTorrent/ACCEPT fw    net 
 NTP/ACCEPT   fw         net 
 PCA/ACCEPT   fw         net #pcanywhere 
 #ICQ/ACCEPT  fw         net#ICQ/AIM 
 #SVN/ACCEPT  fw         net 

Those 2 links also were helpfull during setup :
http://www.shorewall.net/ports.htm
http://www.shorewall.net/standalone.htm

[trikolon]

hi.
i have a server/home-router with 3 eth interfaces. eth0 is my lan with ip range 192.168.0.255, eth1 is connected with my dsl modem and eth2 is connected with my wlan-accesspoint with the subnet 192.168.1.255. lan and internet is working! but i cant ping from or to the eth2-net from or to lan nor surfing. the two subnets are not communicating and i cant enter the internet form the eth2 subnet.
here are my configs:

Code: Select all

interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0    -       norfc1918,routefilter,tcpflags
loc     eth0    192.168.0.255   routeback,tcpflags
wifi    eth2    192.168.1.255   dhcp,routeback,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Code: Select all

masq
#INTERFACE              SUBNET          ADDRESS
##eth1  eth0
ppp0 eth0
ppp0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Code: Select all

policy
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

wifi            all             ACCEPT
net             all             ACCEPT
loc             all             ACCEPT
fw              all             ACCEPT
#LAST LINE -- DO NOT REMOVE

Code: Select all

rules - only the wifi part
#Wifi
ACCEPT  loc     wifi    all
ACCEPT  wifi    loc     all

ACCEPT  wifi  net  icmp  8
#ACCEPT  net  $FW  icmp  8
ACCEPT  $FW  wifi  icmp
ACCEPT  wifi  $FW  icmp
ACCEPT  wifi  loc  icmp  8
ACCEPT  loc  wifi  icmp  8
DROP    net  wifi  icmp
DROP    net  wifi  icmp  8

Code: Select all

zones
fw      firewall
net     ipv4
loc     ipv4
wifi    ipv4

files like nat, routes.. are empty.
hope somebody can help me, i cant get it work after hours of reading, searching and trying.

greets ben