Beta 9 Firewall Entry

Forums Network Management ZeroShell Beta 9 Firewall Entry

  • This topic is empty.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #41169


    I was using BETA 10 with the ALIX Drivers on a CF until you suggested to get the HTTP Proxy working to move back to 9.

    A few recent power outages messed up the configuration so I reinstalled Beta 9 and am trying to get my firewall back together but no matter what I try, my final drop ANY ANY entry is dropping everything even if there is a previous match before it.

    I should probably note ETH01 is a NAT interface connected to a Comcast Cable Modem and is dynamically assigned an IP address., ETH00 is connected to a Linksys switch static at The two workstations are and

    For Example HTTP:

    0 0 ACCEPT tcp — ETH01 ETH00 tcp spt:80
    0 0 ACCEPT tcp — ETH01 ETH00 state ESTABLISHED tcp spt:80

    And the final entry in the table:

    0 0 LOG all — * * limit: avg 10/min burst 15 LOG flags 0 level 4 prefix `FORWARD/041′
    0 0 DROP all — * *

    From what I remember these entries are identical to the old ones I had in BETA 10 but perhaps someone can point out a fundamental error or just a mistake.

    That is just a small example of what I am looking to accomplish, I have a ton of other entries that match the HTTP one but with other ports but if we can get the one working I can get the others working.

    Thanks in advance,



    Try these:

    0 0 ACCEPT tcp — ETH00 ETH01 tcp dpt:80
    0 0 ACCEPT tcp — ETH01 ETH00 state ESTABLISHED tcp spt:80

    note dpt:80 instead of spt:80 in the first rule.

    In any case make no sense put two rules for any protocol you would to like to enable. You could substitute the second rule with tne more generic one:




    Well I had originally tried the rule with TCP 80 and Established in the same entry but a colleague at work told me it looked like they were ANDing instead of ORing and with the adoption of two separate rules they were ORing, perhaps you could clarify that for me a bit more, I thought it didn’t make sense having 2 lines for 1 protocol either.


    And it would appear I have solved my problem.

    Instead of leaving the Source IP blank and letting it fill in I was putting in without a /0, not sure if it is a syntax error or not but that seemed to make it work…perhaps you could explain if not, no problems.

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.