Ok I will use that setting, thank you Tom! Probably it was the wrong setting
and then 2 miserable weeks is over... ;)
So the situation fow Squid, I haven't said some infos, sorry!
Squid is up and working really fine (after some days). It is set to be
transparent and now, the policy of Shorewall says, that local to Net is
accepted for every ports.
But I would like to set Local to net to be Rejected and then in rules i
would like to decide which ports to let to go. So I have added some rules
like AlowWeb, AlowSSH and then the rule to redirect web request to 3128
squid port. And after that, no web connection is available from the local
network (if in policies every loc to net is accepted it is working and squid
is also working transparently).
You have said DNS, it is outside the local network (the ISP's - another
dizzy thing in the network, I think).
So maybe, the soultion is to add an allowDNS rule also and if I say in
policy loc to net reject, then in rules AllowDNS, AllowWeb from loc to net
and then the redirect to squid rule. Will it work then?
[mailto:shorewall-users-admin@...] On Behalf Of Tom Eastep
Sent: Friday, October 07, 2005 7:57 PM
Subject: Re: [Shorewall-users] Config
Kortvelyesi Peter wrote:
> So it will be good also
> #INTERFACE SUBNET ADDRESS
> eth1 eth0
> Am I right (eth1 is net, eth0 is local)?
That will work provided that the route to 192.168.1.0/24 is in place when
Shorewall starts. Shorewall needs to decode the routing table to build the
list of networks to be masqueraded.
> An other issue (if you are not fed up with me yet ;) ):
> As you have seen, Squid is working as a transparent proxy.
> If I say that loc net REJECT in policyes, and then leave the redirect
> 3128 www on and say AllowWeb, AllowSSH, ... Loc to net in rules, then
> no web connection is available!
> What can I do in that situation?
Sounds like a DNS problem. Where is the DNS server that the local systems
use -- the clients need to be able to communicate with that server and the
server needs access to the internet.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@...
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key