________________________________ >> The following fails (performed from Shorewall firewall host with IP >> addr. 10.215.144.91): >> >> # telnet 10.252.194.207 25 >> >> I can see the following while trying to connect to the remote host in >> the CAIB zone: >> >> # tcpdump -n -i enp2s0f0 host 10.252.194.207 >> 12:55:50.044861 IP 172.20.11.62.39027 > 10.252.194.207.25: Flags [S], >> seq 3930079856, win 29200, options [mss 1460,sackOK,TS val 79493620 ecr >> 0,nop,wscale 7], length 0 >> >> I would like to see 10.215.144.91 instead of 172.20.11.62. >> >> What can I try? > > Why, if you are routing this traffic out of enp2s0f0 do you with to use
> the source IP address of enp0s8? Asymmetric routing?> > At any rate, in /etc/shorewall/masq: > > enp2s0f0:10.252.194.207 172.20.11.62 10.215.144.91 tcp 25 Thanks Tom. I used a more general setting: enp2s0f0 172.20.11.62 10.215.144.91 The reason is that the remote organization's policy is to allow connections only from hosts with IP addresses of type 10.x.x.x. The 172.x.x.x addresses are only used to interconnect routers. However, I'm using a single shorewall router/firewall with extra services such as SFTP and SMTP that are available on both "lan" and "caib" zones. eg. (values may differ from shorewall dump): lan(10.215.144.0/23)-(10.215.144.91)$FW(172.20.11.62)-(172.20.x.x)RemoteRouter(10.5.1.1)-(10.252.194.1)RemoteFW(10.252.194.207) At first I started using options such as Squid's tcp_outgoing_address, "telnet -b...", etc. However, masquerading all connections fits my need perfectly. Thanks again, Vieri ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
