Skip navigation.
Home
Now Shipping Version 7.0

SoHo Server and Shorewall


Posts: 387

Someone I know has SoHo server beta and needs to turn off shorewall temporarily to run some tests. I don't have the program installed on anything now that I am not a part of the testing process, so I wonder if someone can tell me how to best disable it for a time, then turn it back on later.

Can it be done through Kmenu, System, Security? or does it have to be done via editing a script - and if so, which one.

Thanks in advance,

RossD.

try

I don't have this version of Mepis but perhaps in the meantime this command might help you.

Open a console as root and type:

/etc/init.d/shorewall stop

latre try to restart the firewall with

/etc/init.d/shorewall start

I'm sure there is a nicer way to do this and that someone else will post it

Jon Du Quesne's picture

Not Quite Aguerra

Aguerra, I haven't used shorewall either, but I just did a "man: shorwall" in Google (another nice thing it will do). And came across the main site and a faq:
http://www.shorewall.net/FAQ.htm

In looking for "stop", I found this helpful bit, and I quote:
(FAQ 7) When I stop Shorewall using ???shorewall stop???, I can't connect to anything. Why doesn't that command work?

The ??? stop ??? command is intended to place your firewall into a safe state whereby only those hosts listed in /etc/shorewall/routestopped' are activated. If you want to totally open up your firewall, you must use the ??? shorewall clear ??? command.
(end quote)

Looks like there's more good stuff there too Smiling

Let us know how shorewall works out.

Jon

drlizau's picture

shorewall

use the webmin interface in SoHo, which is on the desktop.
log in as root.
go to the firewall, and one of the config options is to allow all connections. it isn't stop, and i've removed the shorewall so I can't just lean over to the other machine and find out what it's called....

Jon Du Quesne's picture

Webmin, Good!

Yes Ross, drlizau's suggestion of webmin is a good one. When fiddling with multiple systems, it's nice to have it as a common interface (when a webmin module exists and works (sigh)).

I didn't realize that the webmin firewall interface tied into shorewall. Thanks for the clarification Liz.

Jon

clear firewall

thats the one you want. Just setup an I psec vpn in it an its working nicely. next test is 3 nics 1 pub 2 local to seg. networks if that all works this could be the best product since I first laid my hands on a cisco Smiling

Networks and Consulting
www.bullerconsulting.com

Jon Du Quesne's picture

Sounds Nice!

Bullerconsulting, when you get this configuration going, can you please post the details of the firewall, vpn, and other goodies that you have? It sounds like it would be a configuration that I could use with one of my clients too Smiling

Thanks

Jon

Sure!

All been tested internally the Real test comes (maybe) Wed when Verslofin (no free plugs) gets my new fiber line in.

Networks and Consulting
www.bullerconsulting.com

Jon Du Quesne's picture

Good Luck!

I hope everything goes well and as planned. We've all had "interesting things" happen when you push the button during a demo. It's never fun to push the button and then say, "Hmmm..." Smiling

We here, will keep various appendages crossed!

Jon

SOHO problems with firewall

I'm having problems with Shorewall also. I setup Mepis SOHO test 2 to replace my Libranet webserver. I copied my site from /var/www and a few other key things like the http.conf. Loaded Mepis SOHO and then dropped my site back in.

Problem is I can't connect to the box on port 80 from outside my LAN. I could ssh in, run lynx from cli to connect to localhost:10000, but you miss buttons and stuff. It is near impossible to get anything fixed. I tried to add a new rule in shorewall to allow all connections to port 80, but it didn't work. I go to the server and click on the webmin button on the desktop and I get all kinds of SSL Cert. errors, but I am able to admin it. Another PC on my LAN is able to hit Webmin and the default site and ssh in also.

So I messed with Shorewall via Webmin, allowing all connections to port 80 and moved the rule up in the list, now the pc on the LAN can get webmin, but not ssh, not the default webpage and I can't do anything including ssh from outside the LAN. I'm confused. Can someone post whatever info about rule changes they made to make Mepis SOHO work as a webserver? I'd also like to be able to use webmin from outside the lan, since I'm going to move this box to someone else's house.

I'd hate to have to disable the local firewall, but do I have another choice?

Brian
Somewhere there is a village missing an idiot.

drlizau's picture

took a while

we got this working eventually
the first mistake i made was not realising that eth0 was defined as WAN and eth1 defined as LAN, so that if you only had one network card you were cut off from everything.
have you an email address you can put here? as I am not going to publically post my firewall rules Eye-wink

Jon Du Quesne's picture

Temporarily Disable Firewall

Brian, I haven't worked much with shorewall, but just to make sure that the firewall's the culprit, disable it temporarily if doing so will not expose you to too many nasties! Disable and see if you can connect to port 80 and port 10000. Also, try it from the box itself (through localhost or 127.0.0.1). If it works, enable the firewall and try again.

I'm wondering if there might be some other web and or ssl config settings that need to be (re)tweaked.

And if you're trying to find the missing village idiot, try BASHING TOO BRICKS TOGEFFER and maybe J P Gumby will be attracted to the sound Smiling

Jon

SOHO problems with firewall

So where do I define eth0 as WAN and LAN, as I only have one card in right now? I have a seperate firewall box (IPCop) and it is configed correctly to allow port 80 access. I haven't set up port 10000 yet.

My server is a PIII 500, BX chipset, with 640MB and a 9GB SCSI disk. Many things seem slow, like especially Webmin access. Is that because of the SCSI or the older CPU?

Is there a guide for initial config on SOHO yet?
I'm wondering when SOHO will go final, if ever. I seemed to have the most recent comment and that is in like 2 months. I realize that SimplyMepis is prepping for a new release.

Brian
(removed)
Somewhere there is a village missing an idiot.

drlizau's picture

Re: SOHO problems with firewall

> So where do I define eth0 as WAN and LAN, as I only have one card
> in right now? I have a seperate firewall box (IPCop) and it is
> configed correctly to allow port 80 access. I haven't set up port
> 10000 yet.
from webmin > networking > shorewall firewall > network interfaces

> My server is a PIII 500, BX chipset, with 640MB and a 9GB SCSI
> disk. Many things seem slow, like especially Webmin access. Is
> that because of the SCSI or the older CPU?

Mine's a little newer, a P3-800 and it is slow on some things, slower than the previous server incarnation, an SME server.

> Is there a guide for initial config on SOHO yet?
> I'm wondering when SOHO will go final, if ever. I seemed to have
> the most recent comment and that is in like 2 months. I realize
> that SimplyMepis is prepping for a new release.

Brian
(removed)
Somewhere there is a village missing an idiot.

drlizau's picture

email address

the email address i removed from the post gives me
----- The following addresses had permanent fatal errors -----

(reason: 550 Host unknown)

----- Transcript of session follows -----
550 5.1.2 ... Host unknown (Name server: x.y.com: host not found)

shorewall and stuff

You needed to remove my reference to spam, i.e. noporkproduct, in order to email me.

I had a chance to disable the shorewall firewall by hitting the "clear" button on webmin from another box on the lan. After I got to work this morning, I can hit the default webpage from here. I could still use a look at a working shorewall ruleset that allows ftp and www.

If I restore my old website from my /home directory, do I need to restart Apache? I tried to restart Apache with "apache restart" from the cmd line once already and it said "no such command". I then realized that Apache ver. 2 is on there, guess it makes a difference. So I need the command to restart Apache2 or I'll go look it up.

Anyway, after I hit clear for the firewall, I tried to use putty to ssh to the server and it didn't work, WinSCP also failed. I think I have an idea why, but not sure how to fix it. Through Webmin, I changed a setting about generating keys for users and I may have initiated the generating of new keys for the system. So I'm wondering if I should find a way to delete the keys from the remote boxes I'm trying to connect from, so that it doesn't see a key mis-match. Thoughts? I did issue a SIGHUP for sshd from webmin to restart it. Still didn't work.

Brian
Somewhere there is a village missing an idiot.

drlizau's picture

email resent.

apache2 has the command apache2 to restart (duh)
to delete ssh keys from the boxes you are using
go to /home/user/.ssh/known_hosts and remove the ones you don't want. (Dunno about windows boxen, though)

ssh problems continue

OK, I restarted the box to be sure that sshd was running. It was. I removed the stored keys on putty and winscp3 on XP box. No help. On the server, I am able to ssh to localhost and nmap shows that the server is listening on port 22. Anytime I attempt to connect from another PC to the server I get error "Server unexpectedly closed connection."

Shorewall has been cleared, that is so that port 80 can be open and respond to web requests. (Dr. Liz, I looked at your email and will try some stuff on Tues.) I bet the direct text editing will be faster than using webmin.

drlizau's picture

ssh settings

you can get this error if you ssh in as root and have banned such connections.
ie ssh -l root -X 192.168.1.1
but if you have disallowed logging in as root (normal procedure) you will get "Server unexpectedly closed connection".

sshd

I had changed ssh to allow only root and one other user to login, but I changed that back to allow all. I did it from Webmin interface.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.