dan wrote: > more info. > when i start shorwall, i see this: > > Determining Hosts in Zones... > loc Zone: eth0:0.0.0.0/0 <http://0.0.0.0/0> > net Zone: eth1:0.0.0.0/0 <http://0.0.0.0/0>
Would you please post in plain text? HTML is for web pages; email should be plain text. Your mailer has a particularly annoying habit of trying to make HTML links out of everything that it thinks is an IP address; extremely annoying. I edited them out of my last response but I'm leaving them in here so you too can enjoy them. > > is that an issue? my loc is a private network 10.223.8.0 > <http://10.223.8.0>. shouldn't the loc Zone: have eth0:10.223.8.0/23 > <http://10.223.8.0/23>? the net Zone: should have 0.0.0.0/0 > <http://0.0.0.0/0> right? This is Shorewall FAQ 9. > > what also stands out is that in the messages list where it says MAC= i get > > MAC=00:e0:81:75:54:8f:00:0b:46:e0:b6:31:08:00 > and as i understand it, first 6 or 'first destination' and the second 6 > octets are the 'NATed destination' problem is that the second 6 octets > are to an ip address on my "net" interface. so says arp. ?!? my rule > clearly says from=net to=loc:10.223.8.10 <http://10.223.8.10>, why would > this try to go out the net interface? What you are seeing is the Ethernet header from the INCOMING request. See Shorewall FAQ 6d. unless my interfaces are not > setup right.. i have tried putting the broadcast address in for the > network interfaces from ifconfig, i have tried putting 'detect' in, > still the same result. no OUT= and a destination in MAC= that is on the > wrong interface. > As I explained in my last message, that is an INCOMING request whose destination IP address is that of the firewall. If you think it should have been forwarded to an internal system then your DNAT rule isn't matching what is actually coming in; or, as I mentioned in my earlier post, the server address 10.223.8.10 is wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
