Here is what I checked:
This IP address 210.0.214.121 is no problem, you can see the MAC address
(firewall external interface: 00:0a:cd:0f:66:bb) and (ISP router MAC address:
00:05:3b:60:c0:57):
10:21:51.276188 00:05:3b:60:c0:57 > 00:0a:cd:0f:66:bb, ethertype IPv4 (0x0800),
length 62: 221.127.14.48.32481 > 210.0.214.121.http: S 2808036249:2808036249(0)
win 65535 <mss 1440,nop,nop,sackOK>
10:21:51.276353 00:0a:cd:0f:66:bb > 00:05:3b:60:c0:57, ethertype IPv4 (0x0800),
length 62: 210.0.214.121.http > 221.127.14.48.32481: S 3041452640:3041452640(0)
ack 2808036250 win 5840 <mss 1460,nop,nop,sackOK>
This IP address 210.0.214.127 is can't connect to internet, the MAC address
00:01:03:2a:67:25 is the testing firewall external MAC address:
10:20:01.802065 00:05:3b:60:c0:57 > 00:01:03:2a:67:25, ethertype IPv4 (0x0800),
length 62: 221.127.14.48.32458 > 210.0.214.127.http: S 3300503728:3300503728(0)
win 65535 <mss 1440,nop,nop,sackOK>
--- 2010年2月9日 星期二,Tom Eastep <[email protected]> 寫道﹕
寄件人: Tom Eastep <[email protected]>
主題: Re: [Shorewall-users] Two DMZ servers can't be access from internet and
can't ping internet IP address.
收件人: "Shorewall Users" <[email protected]>
日期: 2010年2月9日,星期二,上午9:00
On Tue, 2010-02-09 at 08:24 +0800, Wilson Kwok wrote:
> Hello Tom
>
> I'm trying to ping 210.0.214.127 from external host, it's request time
> out, but I can ping 210.0.214.119, I accepted in policy and rules file
> before try to ping.
>
> Policy:
> net dmz DROP info
> net $FW ACCEPT info
> net loc DROP info
> net all DROP info
>
> Rules:
> Ping/ACCEPT net $FW
>
Wilson,
I give you complete instructions for diagnosing the problem; did you
follow them? If so, what was the result. I can't help you if you ignore
what I tell you and go off doing something else.
Because you are forwarding 210.0.214.127 to your dmz, you would need
this rule:
Ping/ACCEPT net dmz
BUT YOU DON'T NEED ANY RULES TO FOLLOW THE INSTRUCTIONS THAT I GAVE YOU.
We are trying to determine if the packets are even reaching your
firewall and if so, do they have the correct L2 address. All the rules
in the world won't fix the problem if the packets aren't even reaching
your firewall. You are wasting both your time and mine.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----內含下列附件-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________
YM - 離線訊息
就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何說話都冇走失。
http://messenger.yahoo.com.hk
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
