First, sorry for the delay, but my ISP decided to do maintenance and I was out for hours.

If you did not build your own kernel, the distro you are using probably loaded the ethernet card drivers as modules.

Like I said I have never used Shorewall, but here is what I did find in your rules:


INPUT chain: (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere

why have a default policy of drop when the first rule is to accept everything ?
The other rules following rule 1 will not be used as the packet is already accepted, it will now move to the postrouting ( built in ) table.

same as above for the output chain

Chain FORWARD (policy DROP)
num target prot opt source destination
1 DROP !icmp -- anywhere anywhere state INVALID

First rule for this table ( used to send packets from Internet to boxes inside the Lan and from inside the Lan to the Internet ) says everything NOT icmp that is not associated with a known connection gets dropped. You can not make a connection to anything because only packets which are already established would be accepted, but they can't be established because it drops any packets trying to make a connection because they are not established ( did that make sense? )
The only packets that could get through to the next rule in the FORWARD table would be icmp.


I also see no rules for the eth1_in, eth0_in, eth1_fwd, eth0_fwd, fw2net, fw2loc targets, but hey, at this point nothing really important will reach them.

Remember, simplified, the packets will flow down the table rules until it hits a wall ( DROP or REJECT ), is passed to another table ( by a jump ) is returned to a previous table (by RETURN ) or passed to the next built in table ( example, an ACCEPT in the INPUT table would then pass the packet to the POSTROUTING table, and if there was no rule there to stop it would go to its destination ) A packet that goes to the FORWARD table ( from the PREROUTING table ) will never see the INPUT or OUTPUT table.

Hope this helps.