Hi,I have been running shorewall 1.3.9b on lrp Bering 1.0-rc4 for many years, and it is long overdue for upgrade. So I have loaded the latest version of LEAF (Shorewall 4.4.27.3 on LEAF Bering-uClibc 4.2) on newer hardware, and am trying to get it working.
the goal - i have 5 external IP addresses, and i have bound them to the external interface on the firewall and would like to be able to forward specific IPs and ports to different IP/port combinations in my DMZ, as i was tought by the Shorewall docs over 10 years ago :)
So far i think i have everything running except for issues with DNAT. I can get out to the internet, VPN into my office, and tinydns/dnscache seem to be working. but when i try and connect from the outside (VPN through a proxy at work or via my phone using att network) to any of the web or email ports i have open, it fails. 3rd party email monitoring complains about it too. trying to access a web site from the outside yields a 502 bad gateway error. i can ping the external IPs from outside my network. ex. 198.152.13.67 to 24.129.159.12 for http. noticed the log file has UNREPLIED in it, so i was thinking that somehow something in the return path is bad. gateway on the web server has always been the firewall on the dmz interface. i am keeping all of the IPs the same on the new firewall. when it is not in place, i change the 192.168.90.254 address to 192.168.90.201 and disconnect the other cables. not brave enough to try and run two firewalls at the same time live.
i set it up using the current install docs for LEAF, then copied my current shorewall rules over. i have reviewed them several times, and am not seeing any problems, if anything i have some redundant or unneeded rules which i have tried disabling but made no difference. each time i test this new firewall obviously it brings things down. i have been resetting the cable modem and switches with each swap. tried resetting ARP cache on my web server. only thing i have not tried is rebooting the web server. can't really see how that would help? maybe i should try that?
i have been reading the faq and mailing list. also tried setting DETECT_DNAT_IPADDRS=No . saw some stuff about setting up proxy arp file but that did not seem right.
oh - the main reason for the upgrade other than to be on latest version and newer hardware is because i have been having voice quality issues on my VoIP phones, and would like to use QoS/TC to improve the voice quality. when i tried putting a MAC address in 1.3.9 shorewall it crashes.
i am hoping i have just missed something simple, i have been working crazy hours and fighting isp issues of one form or another since january, i think the last piece of the puzzle is to get this firewall upgraded and give my VoIP packets some priority.
thanks! sam
status.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
