Menu
▾
▴
Re: [Shorewall-users] Shorewall upgrade messed up my firewall
|
From: Paulo J. O. C. M. <po...@ne...> - 2004-08-31 00:28:09
|
> > Now please send us the information asked for at > http://shorweall.net/support.htm under the heading: > > When reporting a problem, *ALWAYS* include this information: > Sorry for the missing information: descartes root # shorewall version 2.0.4 descartes root # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:fc:3b:69:2f brd ff:ff:ff:ff:ff:ff inet 192.168.0.99/24 brd 192.168.0.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:4f:49:02:86:5b brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:6e:23:ad:28 brd ff:ff:ff:ff:ff:ff inet 217.129.147.210/22 brd 217.129.147.255 scope global eth2 descartes root # ip route show 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.99 217.129.144.0/22 dev eth2 proto kernel scope link src 217.129.147.210 127.0.0.0/8 via 127.0.0.1 dev lo scope link default via 217.129.144.1 dev eth2 default via 192.168.0.1 dev eth0 > Also please tell us the steps that you went through to upgrade. Since > you were upgrading between major releases, did you consult the "Upgrade > Issues" on the web site or in your documentation. There are a number of > things to watch out for when upgrading from 1.4 to 2.0; you can't just > load the new version, restart and expect it to work. > Ok, so I just deleted all my config files... I started a new 2.0.4 installation with the two-interface quick start. Since I have two internal interfaces I added a new one and exchanged letters since my external iface is eth2. I also have a DHCP server giving up addresses and it gave 192.168.0.100 to my laptop and the funny thing is that I can ping the laptop but I cannot ping the firewall. And I get the following when starting the firewall: Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Restarting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth2:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 eth0:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Setting up Accounting... Creating Interface Chains... Configuring Proxy ARP Setting up NAT... Setting up NETMAP... Adding Common Rules Processing /etc/shorewall/initdone ... Adding rules for DHCP Enabling RFC1918 Filtering Setting up TCP Flags checking... Setting up Kernel Route Filtering... IP Forwarding Enabled Processing /etc/shorewall/tunnels... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.DropSMB... Pre-processing /usr/share/shorewall/action.RejectSMB... Pre-processing /usr/share/shorewall/action.DropUPnP... Pre-processing /usr/share/shorewall/action.RejectAuth... Pre-processing /usr/share/shorewall/action.DropPing... Pre-processing /usr/share/shorewall/action.DropDNSrep... Pre-processing /usr/share/shorewall/action.AllowPing... Pre-processing /usr/share/shorewall/action.AllowFTP... Pre-processing /usr/share/shorewall/action.AllowDNS... Pre-processing /usr/share/shorewall/action.AllowSSH... Pre-processing /usr/share/shorewall/action.AllowWeb... Pre-processing /usr/share/shorewall/action.AllowSMB... Pre-processing /usr/share/shorewall/action.AllowAuth... Pre-processing /usr/share/shorewall/action.AllowSMTP... Pre-processing /usr/share/shorewall/action.AllowPOP3... Pre-processing /usr/share/shorewall/action.AllowIMAP... Pre-processing /usr/share/shorewall/action.AllowTelnet... Pre-processing /usr/share/shorewall/action.AllowVNC... Pre-processing /usr/share/shorewall/action.AllowVNCL... Pre-processing /usr/share/shorewall/action.AllowNTP... Pre-processing /usr/share/shorewall/action.AllowRdate... Pre-processing /usr/share/shorewall/action.AllowNNTP... Pre-processing /usr/share/shorewall/action.AllowTrcrt... Pre-processing /usr/share/shorewall/action.AllowSNMP... Pre-processing /usr/share/shorewall/action.AllowPCA... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Processing /etc/shorewall/rules... Rule "ACCEPT fw net tcp 53" added. Rule "ACCEPT fw net udp 53" added. Rule "ACCEPT loc fw tcp 22" added. Rule "ACCEPT loc fw icmp 8" added. Rule "ACCEPT net fw icmp 8" added. Rule "ACCEPT fw loc icmp" added. Rule "ACCEPT fw net icmp" added. Processing Actions... Processing /usr/share/shorewall/action.Drop... Rule "RejectAuth" added. Rule "dropBcast" added. Rule "DropSMB" added. Rule "DropUPnP" added. Rule "dropNotSyn" added. Rule "DropDNSrep" added. Processing /usr/share/shorewall/action.Reject... Rule "RejectAuth" added. Rule "dropBcast" added. Rule "RejectSMB" added. Rule "DropUPnP" added. Rule "dropNotSyn" added. Rule "DropDNSrep" added. Processing /usr/share/shorewall/action.RejectAuth... Rule "REJECT - - tcp 113" added. Processing /usr/share/shorewall/action.DropSMB... Rule "DROP - - udp 135" added. Rule "DROP - - udp 137:139" added. Rule "DROP - - udp 445" added. Rule "DROP - - tcp 135" added. Rule "DROP - - tcp 139" added. Rule "DROP - - tcp 445" added. Processing /usr/share/shorewall/action.DropUPnP... Rule "DROP - - udp 1900" added. Processing /usr/share/shorewall/action.DropDNSrep... Rule "DROP - - udp - 53" added. Processing /usr/share/shorewall/action.RejectSMB... Rule "REJECT - - udp 135" added. Rule "REJECT - - udp 137:139" added. Rule "REJECT - - udp 445" added. Rule "REJECT - - tcp 135" added. Rule "REJECT - - tcp 139" added. Rule "REJECT - - tcp 445" added. Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy REJECT for fw to loc using chain all2all Policy DROP for net to fw using chain net2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Networks and Hosts: To 0.0.0.0/0 (all) from 192.168.1.0/24 through eth2 Warning: default route ignored on interface eth0 To 0.0.0.0/0 (all) from 192.168.0.0/24 through eth2 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Processing /etc/shorewall/ecn... Activating Rules... Processing /etc/shorewall/start ... Ok, so I just have again the same warning: Warning: default route ignored on interface eth0 Can someone help? Cheers, Paulo J. Matos > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ te...@sh... > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBMzD9O/MAbZfjDLIRAjtIAJ9s4f74YEvf59XzUmHO0qag+S6VvQCfc8JF > um/VNpKSzINMVXSmjm+ZZ/8= > =YO6w > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Sho...@li... > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > -- Paulo J. Matos : pocm [_at_] mega . ist . utl . pt Instituto Superior Tecnico - Lisbon Computer and Software Eng. - A.I. - > http://mega.ist.utl.pt/~pocm --- -> God had a deadline... So, he wrote it all in Lisp! |