more info.
when i start shorwall, i see this:
> Determining Hosts in Zones...
> loc Zone: eth0:0.0.0.0/0
> net Zone: eth1:0.0.0.0/0
>
is that an issue? my loc is a private network 10.223.8.0. shouldn't the
loc Zone: have eth0:10.223.8.0/23? the net Zone: should have 0.0.0.0/0right?
what also stands out is that in the messages list where it says MAC= i get
MAC=00:e0:81:75:54:8f:00:0b:46:e0:b6:31:08:00
and as i understand it, first 6 or 'first destination' and the second 6
octets are the 'NATed destination' problem is that the second 6 octets are
to an ip address on my "net" interface. so says arp. ?!? my rule clearly
says from=net to=loc:10.223.8.10, why would this try to go out the net
interface? unless my interfaces are not setup right.. i have tried putting
the broadcast address in for the network interfaces from ifconfig, i have
tried putting 'detect' in, still the same result. no OUT= and a destination
in MAC= that is on the wrong interface.
thanks for any help.
On Wed, Mar 12, 2008 at 8:18 AM, dan <[EMAIL PROTECTED]> wrote:
> more info
>
> Tom: again, I went through that part of the FAQ. I noticed that my OUT=
> in the logs is blank. shouldnt that be my interface for 'loc' since the
> route is set for a destination of loc:10.223.8.10 ?
> here:
>
> > Shorewall:net2fw:DROP:IN=eth1 *OUT=* MAC=00:e0:81:75:54:8f:00
> >
>
> here is my interfaces:
>
> #ZONE INTERFACE BROADCAST OPTIONS
> > loc eth0 auto routeback
> > net eth1 auto
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> >
>
> and my rules:
>
> SECTION NEW
> > Telnet/DNAT:info net loc:10.223.8.10
> > FTP/DNAT:info net loc:10.223.8.10
> > DROP:info net all tcp 3128
> > DROP:info net all udp 3128
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> >
>
> and my policy:
>
> fw loc ACCEPT
> > fw net ACCEPT
> > loc fw ACCEPT
> > loc net ACCEPT
> > net loc ACCEPT
> > net fw ACCEPT
> > #LAST LINE -- DO NOT REMOVE
> >
> i know, policy is not an acceptable default but i didnt want the REJECT on
> net -> fw and net -> loc to get in the way during my trouble shooting.
>
>
>
> On Wed, Mar 12, 2008 at 7:57 AM, dan <[EMAIL PROTECTED]> wrote:
>
> > Tom, I did go through the FAQs 1a and 1b but will try again, maybe a
> > nights sleep will improve me view.
> >
> > Unfortunately my software vendor for some old software on an alpha
> > server can only use telnet and ftp to do updates and maintenance on my
> > ancient software system. I protested a great deal about having open telnet
> > access but they gave me an ultimatum of "give us access the way we want" or
> > "we wont support your old software and your on your own with our proprietary
> > poorly designed junk". I may have taken some liberties on quoting their
> > response :)
> >
> > I will at least limit the DNAT to their IP address as the source. I was
> > thinking of putting some kind of ssh/terminal emulator in a browser but i
> > need VT400 emulation which I can't find in a java terminal emulator. The
> > vendor is afraid of putty for some reason :( and wont use a VPN to get to me
> > :(
> >
> > On Tue, Mar 11, 2008 at 4:53 PM, Tom Eastep <[EMAIL PROTECTED]>
> > wrote:
> >
> > > dan wrote:
> > >
> > > >
> > > > any help would be awesome. thanks
> > >
> > > Please follow the troubleshooting steps in Shorewall FAQs 1a and 1b.
> > >
> > > -Tom
> > >
> > > PS Are you *sure* that you want to use telnet across the internet?
> > > It's a
> > > very silly thing to do from a security point of view which is why SSH
> > > was
> > > invented.
> > > --
> > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> > > Shoreline, \ http://shorewall.net
> > > Washington USA \ [EMAIL PROTECTED]
> > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > >
> > >
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > [email protected]
> > > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> > >
> > >
> >
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
