Re: Stopping the Shorewall firewall stops my Internet connection
Jason Hsu put forth on 3/3/2011 10:08 PM:
> My setup:
> Modem -> Firewall/server computer -> Ethernet switch -> Main computer
> The firewall/server computer has Shorewall (firewall), DNSMasq, DHCP3 Server, and SSH.
> I'm trying to troubleshoot why I'm unable to connect to my network from another location by using SSH. But that's not the subject of this post. This problem is what led me to try stopping the Shorewall firewall.
You must open TCP 22 on the public interface. If you then want to SSH
into your "main computer" you would use the SSH client on the Shorewall
box. If you want to SSH directly into your "main computer" from a
remote location, select a high TCP port on the public interface and
forward it to TCP 22 at the IP address of the "main computer". From
your remote computer, you will then have to specify the SSH TCP port
manually when connecting to the "main computer".
> When I stop the Shorewall firewall, I'm unable to connect to the Internet from the main computer. However, I'm still able to connect to the Internet from the firewall/server computer. (I'm able to ping yahoo.com from the firewall/server computer with 0% packet loss. However, when I try to ping yahoo.com from the main computer, I get 100% packet loss.)
> When I start the Shorewall firewall, the main computer's Internet access is restored.
> What's going on? How can turning OFF a firewall block Internet access? I thought that the purpose of a firewall is to BLOCK connections, not MAKE connections.
This is wholly dependent on how the firewall software is designed. If
NAT is part of the design, which it almost always is these days, turning
off NAT kills access to the outside world for internal PCs, thought the
firewall box itself still has full access to the external interface.
This is likely what happened in your case.
I'm not a shorewall user, but given it's Linux based, I'm guessing when
you shut it down it executes a script that clears all the iptables
rules, thus killing NAT, and external connectivity at your "main
computer". When you restart shorewall it repopulates the iptables rules
via a shell script and everything works once more.