Prosilbym was o pomoc w konfiguracji shorewalla, poniewaz ja walcze z tym juz tydzien i niestety mam ciagle jeden problem, a mianowicie w momencie wystartowania shorewalla nie moge sie zalogowac na serwer przez ssh.
Probowalem juz wszystkiego:
- swoje regulki
przykladowe regulki znalezione w katalogach shorewalla po instalacji
jakies cuda dostepne w internecie.
Mam zmienne IP i pewnie tu jest diabel pogrzebany.
Pozwolcie, ze pokaze Wam aktualny stan plikow rules, policy itp.
Od razu wspominam, ze to jest ,,szmilionowa'' wersja tych plikow, zatem moga byc w nich bardzo glupie bledy, ale naprawde probowalem juz wszystkiego i nie wiem co to moze byc. Nawiasem mowiac logi shorewall-init.log tez nie wskazuja bledow.
Zatem to sa moje pliki.
plik zones:
Kod: Zaznacz cały
GNU nano 2.0.2 Datei: /etc/shorewall/zones
# See the file README.txt for further details.
#----------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
#
# The manpage is also online at
# [url]http://shorewall.net/manpages/shorewall-zones.html[/url]
#
######################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Kod: Zaznacz cały
#
# Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# [url]http://shorewall.net/manpages/shorewall-interfaces.html[/url]
#
######################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Kod: Zaznacz cały
# Shorewall version 4.0 - Sample Policy File for one-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#--------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# [url]http://shorewall.net/manpages/shorewall-policy.html[/url]
#
######################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all DROP info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Kod: Zaznacz cały
# Shorewall version 4.0 - Sample Rules File for one-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#-------------------------------------------------------
# For information on entries in this file, type "man shorewall-rules"
#
# The manpage is also online at
# [url]http://shorewall.net/manpages/shorewall-rules.html[/url]
#
######################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/DROP net fw
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# Portnumer
ACCEPT net $FW tcp xxxx
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Bede wdzieczny za kazda pomoc i wkazowke.
Pozdrawiam.
Konrad