From: Paul G. <pg...@re...> - 2006-02-15 05:54:24
|
Lee Zelyck wrote: > ... > Here is what appears in the /var/logs/messages logs > when I try to get to the internet from insaide the > firewall: > > Feb 11 12:24:02 firewall kernel: > Shorewall:all2all:REJECT:IN=eth1 OUT= > MAC=00:60:08:91:9b:c0:00:50:2c:07:ad:61:08:00 > SRC=192.168.77.10 DST=192 > ..168.77.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=38322 > DF PROTO=TCP SPT=2255 DPT=8080 WINDOW=65535 RES=0x00 > SYN URGP=0 Now that you've had your baptism of fire with Tom (don't worry, he's a softie on the inside ;-) i'll offer my logging tips (we've been debating about whether these need to be in the FAQ or web site somewhere): 1. Define all of the combinations of zones in your policy file, and set them to log at info level. e.g. in the 2 interface example, use something like this: loc net ACCEPT loc fw REJECT info loc all REJECT info fw net REJECT info fw loc REJECT info fw all REJECT info net loc DROP info net fw DROP info net all DROP info This produces the same results as the current CVS version of the two-interface guide policy (which i don't think has changed for some time), but gives much more specific logging information. 2. If you have a complicated setup (like some of us do ;-), define *all* of your zones in the hosts file, not the interfaces file. Keeping them in the one place makes it less likely that you'll make mistakes in host/zone placement. Tom, perhaps we should think about setting up the samples like the above to give us more info the first time people come with a question and give us all2all log entries. Regards, Paul |