Re: [Shorewall-users] DNAT+SNAT+FTP Helper Problem

[Tom Eastep]

On 10/04/2017 03:22 AM, Juha Leinonen wrote:
> Hi Tom,
> 
> Great, thanks. 
> 
> Can you tell me where I can track the progress of this bug report?
> 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877826

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT+SNAT+FTP Helper Problem

[Juha Leinonen]

Hi Tom,

Great, thanks.

Can you tell me where I can track the progress of this bug report?

Br,
Juha

On Fri, Sep 29, 2017 at 11:28 PM, Tom Eastep  wrote:

> On 09/29/2017 12:41 PM, Juha Leinonen wrote:
> > Yes, in this case adding rule to SNAT file to change source IP of packet
> > traveling from Internet to local LAN.
> >
> >
>
> I have reproduced the problem and it does not appear to be a Shorewall
> issue. Will file a bug report.
>
> Regards,
> -Tom
> --
> Tom Eastep\   Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>   \___
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT+SNAT+FTP Helper Problem

[Tom Eastep]

On 09/29/2017 12:41 PM, Juha Leinonen wrote:
> Yes, in this case adding rule to SNAT file to change source IP of packet
> traveling from Internet to local LAN. 
> 
>

I have reproduced the problem and it does not appear to be a Shorewall
issue. Will file a bug report.

Regards,
-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT+SNAT+FTP Helper Problem

[Juha Leinonen]

Yes, in this case adding rule to SNAT file to change source IP of packet
traveling from Internet to local LAN.

-Juha

29.9.2017 7.20 ip. "Tom Eastep"  kirjoitti:

On 09/29/2017 04:29 AM, Juha Leinonen wrote:
> Hi,
>
> I'm running Debian 9.1 with
> Linux 4.12.0-1-amd64 #1 SMP Debian 4.12.6-1 (2017-08-12) x86_64 GNU/Linux
> Shorewall version 5.0.15.6
>
> And I'm unable to get DNAT + SNAT + FTP helper combination working.
>
> DNAT + FTP Helper works, but when trying to get source IP address also
> changed traffic never passes to inside interface.
> Also combination DNAT + SNAT works, but then passive FTP doesn't work as
> conntrack is not following packets.
>
> Have anyone by any change happened to stumble into this? This has been
> working flawlessy with old 3.16 kernel and shorewall 4.x.
>

Just to clarify, I assume that when you add SNAT, you are adding an SNAT
rule that changes the source IP on packets leaving the local interface?

-Tom
--
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT+SNAT+FTP Helper Problem

[Tom Eastep]

On 09/29/2017 04:29 AM, Juha Leinonen wrote:
> Hi,
> 
> I'm running Debian 9.1 with
> Linux 4.12.0-1-amd64 #1 SMP Debian 4.12.6-1 (2017-08-12) x86_64 GNU/Linux
> Shorewall version 5.0.15.6
> 
> And I'm unable to get DNAT + SNAT + FTP helper combination working. 
> 
> DNAT + FTP Helper works, but when trying to get source IP address also
> changed traffic never passes to inside interface. 
> Also combination DNAT + SNAT works, but then passive FTP doesn't work as
> conntrack is not following packets. 
> 
> Have anyone by any change happened to stumble into this? This has been
> working flawlessy with old 3.16 kernel and shorewall 4.x.
> 

Just to clarify, I assume that when you add SNAT, you are adding an SNAT
rule that changes the source IP on packets leaving the local interface?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users