Guilsson . wrote: > I have a 2 firewalls with 8 interfaces each in HA. Two interfaces of > then are CORPorate and DMZ. > > Since I have some devices in DMZ with different default gateway (some > points to FW1 and others to FW2), I needed to create a quite complex > setup of inclusions/exclusions and source/destination to allow video > conferencing devices go to directly to the GateKeeper in DMZ, without > NAT. > > Sometimes VC registered in GK with the FW's IP, sometimes registered > with VC's IP (corporate IP, the correct). > I've spent several hours troubleshooting this situation. > > Restarting Shorewall and un/re-registering the VC the situation > changed randomly. > There is a mix of several VC devices (around 30). Different models, > brands, even some PCs with Netmeeting. > Even cleaning all entries in MASQ to/from CORP amd DMZ, strange things > happened. > I got almost crazy. > > I just had migrated this FW firewall from Fedora Core 3 (Shorewall > 2.x) to Fedora 8 (Shorewall 4.x). > Before, the same rules were applied and everything worked fine > > When I noticed that WITHOUT any masqs some devices still registered > with NATed IP, I went further and discovered: > - 2 Netfilter modules are loaded by default in Fedora 8 > --- nf_nat_h323 > --- nf_conntrack_h323 > > Unloading (modprobe -r) then, just like a Magic, everything back to > normal operations. My masq entries worked as should be. > > Two doubts: > 1) Every shorewall restart load these two modules again. How can I > configure Shorewall to not load them ? copy /usr/share/shorewall/modules to /etc/shorewall/modules, then edit that new file, # out what you don't want. restart
> 2) Why, even without masq entries, some devices got NATed (modules problem?) ? > That would need a dump to make sense of (maybe). Above might just straighten it all out for you. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
