Hi All,I have used Shorewall many times in the past and it has always worked very nicely. This time, however it is not working.
In the past I have set up rules to allow access to servers in non-routeable private ip space using DNAT and such. This time I'm trying to replace a firewall that routes traffic to public type addresses. Our colo has allocated two sets of ip space for us. The zones for each of these is called "lan" and "opt". Traffic to these public type ip addresses goes thru the existing router that I'm trying to replace.
I have made the policy file wide open to accept traffic between all net2opt, net2lan, lan2net,lan2opt zones.
When we try to plug it in, I see traffic from lan2opt and opt2lan is traversing just fine. I can ping from the $FW to the "net" zone so I know connectivity is there.
Trying to access anything behind the shorewall firewall though does not get thru. I would expect to see in the logs a messages saying ACCEPT, DROP, or REJECT from the "net2loc" or "net2opt" zones but I get nothing.
Since traffic should go through the firewall to public type ip addresses I had removed everything from the "masq" file. There shouldn't be masquerading going on just routing packets from the "net" to "opt" or "lan". So when someone types in our website address a DNS server will provide the ip and the client should go to that ip with no DNAT'ing just a straight through forward.
I have tried on an alternate network to route traffic and it does route when natting to non-routeable ip space. I know the server will route between networks. I even did a tcpdump and I do see that packets are hitting the outside ip destined for ip addresses behind the firewall. I thought maybe the colo might have access control lists on our firewall's mac so I even went so far as to spoof my new firewall's mac address to match the old firewall and not luck. I even tried /sbin/shorewall clear and no luck. Maybe kernel param?
Is there something in my shorewall.dump that shows why connections from the net would be blocked and not logged at all? If there's any more info anyone needs please let me know.
Attached is a dump. Thank you, Mitch
status.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
