On 8/15/07, Brad Bendily <[EMAIL PROTECTED]> wrote: > Maybe I have missed something easy. > So, before I post my dump etc, i wanted to see if I could explain the problem > and get pointed to a direction I can go dig into. > > On my Gentoo Linux 2.6.20 kernel iptables firewall with Shorewall 3.4.2. > I have two onboard ports and two PCIx cards with 2 ports each. > > So, eth0-eth4 are used. > > eth0 is the internet connection from our ISP's switch. > > eth4 is a DMZ with 1 machine connected, zone called web4. That machine has an > internal address of 10.4.4.4. > > >From an external system (my house) I can connect to the web server on > that system in web4 and everything to works correctly. I can browse > the web server with no problems. > > The problem is, from that system (web4) I cannot connect to any system > outside the firewall. After running tcpdump on the fw and my > destination server (which is another system on the internet) I see > that the source IP address is 10.4.4.4. So I realize the packet cannot > be returned to 10.4.4.4, because obviously my internet based system > does not > know how to talk back to the 10.x address.
Did you check your masquerading settings? Sounds like that is not turned out for eth4 anymore. ~David > So, the firewall is passing the 10.4.4.4 address out on the internet > to my destination address. > > We had an older Shorewall 1.x running on the firewall at one time, > then last Sunday I changed it out with a new box running Gentoo and > Shorewall 3.4.2. > Have I configured something wrong for Shorewall 3.4.2? > > I was reading through the man file for shorewall-interfaces > I don't have any of the options set like routefilter, logmartians, > routeback or proxyarp > Maybe I need to set one of these? > > cat /proc/sys/net/ipv4/conf/eth4/rp_filter > 1 > > cat /proc/sys/net/ipv4/conf/eth0/rp_filter > 1 > > Any help would be greatly appreciated. > > Thanks > Brad B. > > -- > Have Mercy & Say Yeah > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
