[Shorewall-users] How to allow specific services for machinesin LAN behind router?

Jeff jsoehner at the-techy.com
Tue Feb 15 05:38:28 PST 2005


Hey Bram;

The 'DROP' entry states that the packet was dropped because of the norfc1918
option on eth0 in your interfaces file. Yes you should remove it as you have
a  192.168.1.0 network on both ethernet interfaces and should NOT be used.

Shorewall:rfc1918:DROP:IN=eth0 OUT=

BTW You *might* also keep in mind that taking the time to remove the MAC
address is probably pointless. That info is really ONLY useful to anyone on
your local network (or maybe one hop away).

Jeff

----- Original Message ----- 
From: "Bram Mertens" <bram-mertens at linux.be>
To: "Mailing List for Shorewall Users" <shorewall-users at lists.shorewall.net>
Sent: Tuesday, February 15, 2005 8:13 AM
Subject: Re: [Shorewall-users] How to allow specific services for machinesin
LAN behind router?


> On Mon, 2005-02-14 at 12:09 -0800, Tom Eastep wrote:
> > Bram Mertens wrote:
> >
> > >
> > > So...
> > >
> > > It would be easier to configure the dhcp of my router to provide IP
> > > addresses starting from 192.168.1.128 rather than 192.168.1.100 and
have
> > > it assign only 31 addresses in stead of 50.
> >
> > It could assign all 32... (192.168.1.128-192.168.1.159 is a range of 32
> > addresses).
> >
> > > That way I can use the
> > > ACCEPT net:192.168.1.128/27 fw tcp 22
> > > rule you suggested, right?
>
> Unfortunately I still seem to do something wrong...
>
> I have edited my router, restarted the connection on the desktop and on
> the laptop so their IP addresses are now 192.168.1.128 and 198.168.1.129
>
> When shorewall is cleared on both machines I can log in through ssh in
> both directions.
> When I start the firewall on the desktop, I can log in on the laptop
> from the desktop but ssh connections from the laptop to the desktop are
> blocked (on the laptop, as dmesg on the laptop shows) and ssh returns a
> connection timed out error.
>
> If I start the firewall on the laptop I get a connection refused when I
> try to log in on the desktop from the laptop.  Logging in on the laptop
> from the desktop returns the connection timed out error.
>
> The output of dmesg looks like:
> Shorewall:rfc1918:DROP:IN=eth0 OUT=
> MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.1.129
> DST=192.168.1.128 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=25516 DF PROTO=TCP
> SPT=32776 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
>
> Should I remove the norfc1918 option from /etc/shorewall/interfaces?
>
> TIA
> -- 
> # Mertens Bram "M8ram"   <bram-mertens at linux.be>   Linux User #349737 #
> # debian testing            kernel 2.6.8-1-686     i686     512MB RAM #
> # 13:45:38 up 6 days, 17:32,  8 users,  load average: 0.40, 0.30, 0.20 #
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>



More information about the Shorewall-users mailing list