Thanks Robert, Tom!
just about every time i switched firewalls i power cycled the switches,
cable modem, and ran arp -d <firewall> on the web server. and did run
pings and nslookups to make sure i was communicating and dns was
working. early on i had issues with the tinydns config, and i could
only ping by IP address and not name, now name resolution is working.
i went through the FAQ before posting, did it again now. does not mean
that i am not misinterpreting or doing something stupid :)
*Answer:* That is usually the result of one of four things:
*
You are trying to test from inside your firewall -<sam> no - trying
from a proxy in colorado and my att wireless
*
You have a more basic problem with your local system -<sam> don't
think so, works with old firewall, gateway set to firewall
*
Your ISP is blocking that particular port inbound or, for TCP, your
ISP is dropping the outbound SYN,ACK response. -<sam> don;t think
so, works with the old firewall
*
You are running Mandriva Linux prior to 10.0 final and have
configured Internet Connection Sharing. - no, running LEAF uclibc
(FAQ 1b) I'm still having problems with port forwarding
*Answer:* To further diagnose this problem:
*
As root, type "*shorewall reset* " ("*shorewall-lite reset*", if you
are running Shorewall Lite). This clears all Netfilter counters.
*
Try to connect to the redirected port from an external host.
*
As root type "*shorewall show nat* " ("*shorewall-lite show nat*",
if you are running Shorewall Lite).
*
Locate the appropriate DNAT rule. It will be in a chain called
/<source zone>/_dnat ("net_dnat" in the above examples).
*
Is the packet count in the first column non-zero? YES If so, the
connection request is reaching the firewall and is being redirected
to the server. In this case, the problem is usually a missing or
incorrect default gateway setting on the local system (the system
you are trying to forward to -- its default gateway must be the IP
address of the firewall's interface to that system unless you use
the hack described in FAQ 1f
<http://www.shorewall.net/FAQ.htm#faq1f>). <sam> default gw is set
to firewall
*
*
If the packet count is non-zero, check your log to see if the
connection is being dropped or rejected. If it is, then you may have
a zone definition problem such that the server is in a different
zone than what is specified in the DEST column. At a root prompt,
type "*shorewall show zones*" ("*shorewall-lite show zones*") then
be sure that in the DEST column you have specified the *first* zone
in the list that matches OUT=<dev> and DEST= <ip>from the
REJECT/DROP log message.
o
<sam> Do not see drop or reject.
o
conntrack table shows [UNREPLIED] ex. tcp 6 77 SYN_SENT
src=198.152.13.67 dst=24.129.159.12 sport=51395 dport=80
packets=1 bytes=60 [UNREPLIED] src=172.16.90.36
dst=198.152.13.67 sport=80 dport=51395 packets=0 bytes=0 mark=0
use=2
o Shorewall 4.4.27.3 Zones at inferno - Mon May 21 23:17:02 EDT 2012
fw (firewall)
net (ipv4)
eth0:0.0.0.0/0
loc (ipv4)
eth1:0.0.0.0/0
dmz (ipv4)
eth2:0.0.0.0/0
o rule is : DNAT net dmz:172.16.90.36 tcp
80 - 24.129.159.12
*
If everything seems to be correct according to these tests but the
connection doesn't work, it may be that your ISP is blocking SYN,ACK
responses. This technique allows your ISP to detect when you are
running a server (usually in violation of your service agreement)
and to stop connections to that server from being established. <sam>
don't think so, it works with the old firewall, and i am paying for
the IPs so i can host the mail and web servers.
I also just tried another swap and this time rebooted everything - web
server, switches, client PC. no difference in outcome, i did save the
dump and log file dir from this test as well. have not rebooted since
this test, just unplugged all the cables. so i can still check logs, etc.
i have been using shorewall for a while and have made many changes to my
dnat rules over the years on the 1.x version and never had any issues.
stuff like bringing up new web servers on different servers or ports,
tomcat server, database servers (oracle and mysql), etc. it did not
seem like the rules changed that much. i am wondering if i missed
something in one of the other configuration files or one of the new
parameters?
thanks
sam
Tom Eastep wroteOn 5/21/2012 9:30 PM:
On 5/21/12 4:40 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
I'm not sure what you are running into, but if you did a quick swap and
test, your switches may not have caught up to the changes by the time
you tested. I ran into that when doing a midday cutover to a new
firewall. You can avoid that by pinging from Leaf to the DNAT target
and vice-versa. Once you see those pings going, this is a non-issue.
Here is a rule from a functional firewall that is DNAT'ing traffic
arriving on a specific interface (in this case the only one in zone
net2) and a specific (fake) IP on that interface for you to compare to
the old version of the rule.
DNAT net2 loc:10.1.3.4 tcp 80 - 69.254.254.254
On 5/21/2012 4:52 PM, Sam Cappello wrote:
Hi,
I have been running shorewall 1.3.9b on lrp Bering 1.0-rc4 for many
Sam,
If Robert's tip doesn't solve your problem, check out the DNAT
troubleshooting tips in Shorewall FAQs 1a and 1b.
-Tom
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
