I've just figured out what I was doing wrong. I feel about 3 inches high right about now.
Due to trying several different LEAF/LRP images, I had set my webserver's default gateway to 192.168.1.1, whereas the firewall's internal address is 192.168.1.254. The upshot of which is that the webserver won't reply to any requests from the internet, because it's default gateway doesn't exist. A portscan won't pick the port up as open, because there's never going to be so much as an ACK in response. D'oh! Much thanks to those who have helped to troubleshoot :) Cheers Richard > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Busby > Sent: Tuesday, 9 April 2002 7:15 p.m. > To: Tom Eastep > Cc: [EMAIL PROTECTED] > Subject: RE: [Leaf-user] Bering and Port Forwarding > > > Thanks Tom - my replies are below. If you (or anyone else) can suggest > anything else I might try, that would be great :) > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > On Mon, 8 Apr 2002, [EMAIL PROTECTED] wrote: > > > > > /etc/Shorewall/params contains mostly the default options, except: > > > Loc_tcp_ports1=80,3389 (=www and Win2k Terminal Services) > > > server1=192.168.1.2 (=my webserver's internal address) > > > > > > When Shorewall starts, the Rule outputs are: > > > > > > Accept fw net tcp 53 > > > Accept fw net udp 53 > > > Accept net fw tcp 22 > > > Reject net fw tcp 113 > > > Accept loc fw tcp 22,80 > > > Accept loc fw udp 53 > > > Accept net loc:192.168.1.2 tcp 80,3389 - all > > > Accept fw loc icmp 8 > > > Accept loc fw icmp 8 > > > > > > I can access the Weblet (and ssh if I put sshd on) internally, > > > as I'd expect. If I do a port scan from grc.com, AUTH shows > > > up as closed rather than > > > stealthed, which I'd also expect. However, HTTP shows up as > > > stealthed, which I don't understand. > > > > > > > Your Shorewall setup looks correct -- > > > > a) When you attempt the port scan, does Shorewall report anything about > > TCP port 80 in /var/log/messages? > > Yep. GRC's port scan probes the following ports: > 21,23,25,79,80,110,113,135,139,143,443,445,5000. The first time I tried a > portscan, there were messages in /var/log/messages for destination ports > 5000,445,443,143,139 (in that order). Each message is reporting a dropped > packet from the Net2all rule. A subsequent portscan only resulted in a > message for the port 5000 attempt - still dropped from the Net2all rule. > > > b) After the port scan, if you do "shorewall show nat", does the packet > > count for the port 80 DNAT rule show a non-zero packet count? How about > > the port 80 rule in "shorewall show net2loc"? > > "Shorewall show nat" shows a packet count of 20 for the port 80 DNAT rule. > "Shorewall show net2loc" shows a packet count of 109 for "state NEW tcp > dpt:80" > > > If neither of these packet counts is non-zero, your ISP is most likely > > dropping SYN TCP packets with destination port 80. > > I know this isn't the case because I've had a webserver running here up > until last week. > > Cheers > Richard > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
