This email proudly send through my new firewall! thanks everyone for your help, it was key to resolving the issue. turns out the problem was user error. a cable was mislabeled and i was in fact unplugging the web server and plugging the new firewall's DMZ interface in it's place. explains why all the interfaces and MAC addresses looked right to me, i was just missing one clue that i finally saw today - the mac address shown for the DMZ interface on the web server was showing up as (incomplete), not an actual address. once i started pinging different interfaces from other servers i realized what the problem was.
So thanks again for everyone's quick answers, and sorry to have taken your time with user error. i was truly at my wit's end with this and i could not have figured it out without the confirmation that i had shorewall configured correctly and a weekend away from computers to give me a fresh start today. Sam Tom Eastep wroteOn 5/22/2012 12:20 PM: > On 05/22/2012 08:08 AM, Sam Cappello wrote: > >> connection request is reaching the firewall and is being redirected >> to the server. In this case, the problem is usually a missing or >> incorrect default gateway setting on the local system (the system >> you are trying to forward to -- its default gateway must be the IP >> address of the firewall's interface to that system unless you use >> the hack described in FAQ 1f >> <http://www.shorewall.net/FAQ.htm#faq1f>).<sam> default gw is set >> to firewall >> conntrack table shows [UNREPLIED] ex. tcp 6 77 SYN_SENT >> src=198.152.13.67 dst=24.129.159.12 sport=51395 dport=80 >> packets=1 bytes=60 [UNREPLIED] src=172.16.90.36 >> dst=198.152.13.67 sport=80 dport=51395 packets=0 bytes=0 mark=0 >> use=2 >> > SYN_SENT means that the firewall has sent the packet to 172.16.90.36 who > has not responded. > > You need to use tcpdump on eth2: > > tcpdump -nei eth2 port 80 > > Pay particular attention to the MAC addresses of the SYNs being sent to > 172.16.90.36 and the SYN,ACKs being returned to the client. While you > stated that you power-cycled the switches, the server itself can have > the same issue when you swap default routers. > > -Tom ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
