jon wrote: > Hi All, > > Ran across a weird one today that I can't wrap my head around. > > This is a pretty standard two-NIC setup with eth0 being the WAN and eth1 > being LAN-side. A workstation on the LAN side (10.0.50.144 assigned by > DHCP) cannot go to a particular website at 161.184.172.35. This > workstation can surf to any other website I can think of, and pings to > the troublesome website return the proper IP address. Shorewall rejects > requests to go to that website under the all2all policy: > > Jan 31 12:37:15 d205-206-104-186 kernel: > Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=10.0.50.144 > DST=161.184.172.35 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57267 DF > PROTO=TCP SPT=4067 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 > > I've attached my status file gzipped as indicated. > > I didn't build this box so "totally out there" postulations are welcome > and I will investigate them all. >
The destination host (161.184.172.35) is defined to be in the 'admin' zone and loc->admin connections are disallowed by your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
