SoHo Server and Shorewall

I don't have this version of Mepis but perhaps in the meantime this command might help you.

Open a console as root and type:

/etc/init.d/shorewall stop

latre try to restart the firewall with

/etc/init.d/shorewall start

I'm sure there is a nicer way to do this and that someone else will post it

Aguerra, I haven't used shorewall either, but I just did a "man: shorwall" in Google (another nice thing it will do). And came across the main site and a faq:
http://www.shorewall.net/FAQ.htm

In looking for "stop", I found this helpful bit, and I quote:
(FAQ 7) When I stop Shorewall using ???shorewall stop???, I can't connect to anything. Why doesn't that command work?

The ??? stop ??? command is intended to place your firewall into a safe state whereby only those hosts listed in /etc/shorewall/routestopped' are activated. If you want to totally open up your firewall, you must use the ??? shorewall clear ??? command.
(end quote)

Looks like there's more good stuff there too

Let us know how shorewall works out.

Jon

use the webmin interface in SoHo, which is on the desktop.
log in as root.
go to the firewall, and one of the config options is to allow all connections. it isn't stop, and i've removed the shorewall so I can't just lean over to the other machine and find out what it's called....

Yes Ross, drlizau's suggestion of webmin is a good one. When fiddling with multiple systems, it's nice to have it as a common interface (when a webmin module exists and works (sigh)).

I didn't realize that the webmin firewall interface tied into shorewall. Thanks for the clarification Liz.

Jon

thats the one you want. Just setup an I psec vpn in it an its working nicely. next test is 3 nics 1 pub 2 local to seg. networks if that all works this could be the best product since I first laid my hands on a cisco

Networks and Consulting
www.bullerconsulting.com

Bullerconsulting, when you get this configuration going, can you please post the details of the firewall, vpn, and other goodies that you have? It sounds like it would be a configuration that I could use with one of my clients too

Thanks

Jon

All been tested internally the Real test comes (maybe) Wed when Verslofin (no free plugs) gets my new fiber line in.

Networks and Consulting
www.bullerconsulting.com

I hope everything goes well and as planned. We've all had "interesting things" happen when you push the button during a demo. It's never fun to push the button and then say, "Hmmm..."

We here, will keep various appendages crossed!

Jon

I'm having problems with Shorewall also. I setup Mepis SOHO test 2 to replace my Libranet webserver. I copied my site from /var/www and a few other key things like the http.conf. Loaded Mepis SOHO and then dropped my site back in.

Problem is I can't connect to the box on port 80 from outside my LAN. I could ssh in, run lynx from cli to connect to localhost:10000, but you miss buttons and stuff. It is near impossible to get anything fixed. I tried to add a new rule in shorewall to allow all connections to port 80, but it didn't work. I go to the server and click on the webmin button on the desktop and I get all kinds of SSL Cert. errors, but I am able to admin it. Another PC on my LAN is able to hit Webmin and the default site and ssh in also.

So I messed with Shorewall via Webmin, allowing all connections to port 80 and moved the rule up in the list, now the pc on the LAN can get webmin, but not ssh, not the default webpage and I can't do anything including ssh from outside the LAN. I'm confused. Can someone post whatever info about rule changes they made to make Mepis SOHO work as a webserver? I'd also like to be able to use webmin from outside the lan, since I'm going to move this box to someone else's house.

I'd hate to have to disable the local firewall, but do I have another choice?

Brian
Somewhere there is a village missing an idiot.

we got this working eventually
the first mistake i made was not realising that eth0 was defined as WAN and eth1 defined as LAN, so that if you only had one network card you were cut off from everything.
have you an email address you can put here? as I am not going to publically post my firewall rules

Brian, I haven't worked much with shorewall, but just to make sure that the firewall's the culprit, disable it temporarily if doing so will not expose you to too many nasties! Disable and see if you can connect to port 80 and port 10000. Also, try it from the box itself (through localhost or 127.0.0.1). If it works, enable the firewall and try again.

I'm wondering if there might be some other web and or ssl config settings that need to be (re)tweaked.

And if you're trying to find the missing village idiot, try BASHING TOO BRICKS TOGEFFER and maybe J P Gumby will be attracted to the sound

Jon

So where do I define eth0 as WAN and LAN, as I only have one card in right now? I have a seperate firewall box (IPCop) and it is configed correctly to allow port 80 access. I haven't set up port 10000 yet.

My server is a PIII 500, BX chipset, with 640MB and a 9GB SCSI disk. Many things seem slow, like especially Webmin access. Is that because of the SCSI or the older CPU?

Is there a guide for initial config on SOHO yet?
I'm wondering when SOHO will go final, if ever. I seemed to have the most recent comment and that is in like 2 months. I realize that SimplyMepis is prepping for a new release.

Brian
(removed)
Somewhere there is a village missing an idiot.

> So where do I define eth0 as WAN and LAN, as I only have one card
> in right now? I have a seperate firewall box (IPCop) and it is
> configed correctly to allow port 80 access. I haven't set up port
> 10000 yet.
from webmin > networking > shorewall firewall > network interfaces

> My server is a PIII 500, BX chipset, with 640MB and a 9GB SCSI
> disk. Many things seem slow, like especially Webmin access. Is
> that because of the SCSI or the older CPU?

Mine's a little newer, a P3-800 and it is slow on some things, slower than the previous server incarnation, an SME server.

> Is there a guide for initial config on SOHO yet?
> I'm wondering when SOHO will go final, if ever. I seemed to have
> the most recent comment and that is in like 2 months. I realize
> that SimplyMepis is prepping for a new release.

Brian
(removed)
Somewhere there is a village missing an idiot.