# [SOLVED] Shorewall burp..

## Dr_Stein

When I run 'shorewall start' I get this:

box ~ # shorewall start

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Starting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Available

   Packet Mangling: Available

   Multi-port Match: Available

   Extended Multi-port Match: Available

   Connection Tracking Match: Available

   Packet Type Match: Available

   Policy Match: Not available

   Physdev Match: Not available

   IP range Match: Available

   Recent Match: Available

   Owner Match: Available

   Ipset Match: Not available

   ROUTE Target: Not available

   Extended MARK Target: Available

   CONNMARK Target: Not available

   Connmark Match: Not available

Determining Zones...

   Zones: net loc

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   local Zone: eth0:0.0.0.0/0

   Warning: Zone loc is empty

Processing /etc/shorewall/init ...

Pre-processing Actions...

   Pre-processing /usr/share/shorewall/action.DropSMB...

   Pre-processing /usr/share/shorewall/action.RejectSMB...

   Pre-processing /usr/share/shorewall/action.DropUPnP...

   Pre-processing /usr/share/shorewall/action.RejectAuth...

   Pre-processing /usr/share/shorewall/action.DropPing...

   Pre-processing /usr/share/shorewall/action.DropDNSrep...

   Pre-processing /usr/share/shorewall/action.AllowPing...

   Pre-processing /usr/share/shorewall/action.AllowFTP...

   Pre-processing /usr/share/shorewall/action.AllowDNS...

   Pre-processing /usr/share/shorewall/action.AllowSSH...

   Pre-processing /usr/share/shorewall/action.AllowWeb...

   Pre-processing /usr/share/shorewall/action.AllowSMB...

   Pre-processing /usr/share/shorewall/action.AllowAuth...

   Pre-processing /usr/share/shorewall/action.AllowSMTP...

   Pre-processing /usr/share/shorewall/action.AllowPOP3...

   Pre-processing /usr/share/shorewall/action.AllowICMPs...

   Pre-processing /usr/share/shorewall/action.AllowIMAP...

   Pre-processing /usr/share/shorewall/action.AllowTelnet...

   Pre-processing /usr/share/shorewall/action.AllowVNC...

   Pre-processing /usr/share/shorewall/action.AllowVNCL...

   Pre-processing /usr/share/shorewall/action.AllowNTP...

   Pre-processing /usr/share/shorewall/action.AllowRdate...

   Pre-processing /usr/share/shorewall/action.AllowNNTP...

   Pre-processing /usr/share/shorewall/action.AllowTrcrt...

   Pre-processing /usr/share/shorewall/action.AllowSNMP...

   Pre-processing /usr/share/shorewall/action.AllowPCA...

   Pre-processing /usr/share/shorewall/action.Drop...

   Pre-processing /usr/share/shorewall/action.Reject...

Deleting user chains...

Processing /etc/shorewall/continue ...

Processing /etc/shorewall/routestopped ...

Setting up Accounting...

Creating Interface Chains...

Configuring Proxy ARP

Setting up NAT...

Setting up NETMAP...

Adding Common Rules

Processing /etc/shorewall/initdone ...

Adding Anti-smurf Rules

IP Forwarding Enabled

Processing /etc/shorewall/tunnels...

Processing /etc/shorewall/ipsec...

Processing /etc/shorewall/rules...

   Error: No policy defined from zone net to zone fw

Processing /etc/shorewall/stop ...

IP Forwarding Enabled

Processing /etc/shorewall/stopped ...

Terminated

box ~ # 

My /etc/shorewall/zones:

#ZONE                   DISPLAY         COMMENTS

net                     local net

loc

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/rules:

###################################################################################################

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE            USER/

#                                               PORT    PORT(S)    DEST         LIMIT           GROUP

#

ACCEPT  net             fw              tcp     21 #FTP

ACCEPT  net             fw              tcp     22 #SSH

ACCEPT  net             fw              udp     53 #DNS

ACCEPT  net             fw              tcp     53 #DNS

ACCEPT  net             fw              tcp     80 #HTTP

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

##############################################################################

#ZONE    INTERFACE      BROADCAST       OPTIONS                 GATEWAY

net     eth0            detect          nosmurfs

#

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy:

###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

loc             net             ACCEPT

#LAST LINE -- DO NOT REMOVE

I've followed the little HOWTO (https://forums.gentoo.org/viewtopic-p-2187309.html) (and several pages of docs at shorewall.net) but the howto didn't mention the /etc/shorewall/zones file, and I think that's where I'm getting tripped up.

All I want to do is allow access from the internet to those specific ports and allow traffic that originates on the machine to get outside. I'm not really familiar with shorewall, and the last thing that I want to do is lock myself out of the box.

Anyone know a way to solve this?Last edited by Dr_Stein on Tue Nov 08, 2005 4:34 am; edited 1 time in total

----------

## steveb

Replace this (/etc/shorewall/policy):

```
loc             net             ACCEPT
```

with this:

```
# Allow all connection requests from local network to the internet

#

loc      net      ACCEPT

# Drop (ignore) all connection requests from the internet to firewall or local network

net      all      DROP      info

# Accept all connection requests from the firewall to the internet

#

fw      net      ACCEPT

#

# THE FOLLOWING POLICY MUST BE LAST

#

all      all      REJECT      info
```

cheers

SteveB

----------

## Dr_Stein

Dude, you da man. Thanks! That worked great.  :Smile: 

----------

## steveb

 :Smile: 

----------

