Brian, I'm in charge of the machine ks309069.kimsufi.com and I thought I hadn't configure Shorewall correctly (it's the first time I'm using it). Are you meaning the packet filtering has been applied outside Shorewall? This host is running Proxmox and is not filtering the port 80 for the non-fully virtualized guests (through venet0). The problem arises only when I want to access a KVM guest which are accessed through vmbr0.
Maybe I'm back to the problem related to the fact that our hosting company (OVH) has disabled bridging. I thought I had solved it by following this guide http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/ which exposes a way to circumvent that restriction by doing this on vmbr0: - assign an IP address used as the gateway for all dmz KVM guests - remove the bridge ports And using NAT with the help of Shorewall. I also enabled proxy arp for 10.0.0.4. Well, I guess I need to dig a bit deeper! Thank you, Eric. On 12/21/2009 9:53 AM, Brian J. Murrell wrote: > On Mon, 2009-12-21 at 09:05 +0530, ericdes wrote: >> >> 04:20:08.292735 IP es01.tela-web.com.35200> ks309069.kimsufi.com.www: S >> 3758580123:3758580123(0) win 5840<mss 1460,sackOK,timestamp 40378785 >> 0,nop,wscale 5> >> 04:20:08.293384 IP ks309069.kimsufi.com> es01.tela-web.com: ICMP host >> ks309069.kimsufi.com unreachable - admin prohibited, length 68 > > Well, that's a pretty obvious result. Surely you must be seeing why > your HTTP connections are not working. The machine/port you are trying > to reach has been packet filtered, and they are even being so courteous > as to tell you that rather than just dropping your packets on the floor > (like I would do). > >> And this when I ssh: >> >> 04:31:26.138508 IP es01.tela-web.com.35007> ks309069.kimsufi.com.ssh: . >> ack 958 win 281<nop,nop,timestamp 41056616 122428939> >> 04:31:26.141516 IP es01.tela-web.com.35007> ks309069.kimsufi.com.ssh: P >> 838:982(144) ack 958 win 281<nop,nop,timestamp 41056619 122428939> >> 04:31:26.146252 IP ks309069.kimsufi.com.ssh> es01.tela-web.com.35007: P >> 958:1678(720) ack 982 win 70<nop,nop,timestamp 122429100 41056619> > > And of course, this is not being packet filtered. > > b. > > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > > > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
