Thanks Tom, Jeremy for pointing to FAQ2 which solved the issue.
Thanks to Damiano for hinting about unNATed network configuration.
Cheers,
/z
On 1/31/16, Damiano Verzulli <dami...@verzulli.it> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Il 30/01/2016 17:55, Jeremy Baker ha scritto:
>> [...] Do you web servers resolve to the local address, or your
>> external address from within your network? [...]
>
> I would also add that:
>
> - - _IF_ you are _NOT_ NATting from LOC to DMZ.... and
> - - _IF_ the Default-GW configured in your DMZ-Server is the router
> connected in the NET zone... and
> - - _IF_ the router is correctly configured with a static-route so to reach
> LOC clients via the Shorewall-FW gateway
>
> _THEN_
>
> - - you can simply solve your problem by _ADDING_ a static route on the
> DMZ-server so to reach the LOC-network directly via the Shorewall-GW
>
>
> Without the last static-route, when clients in LOC send packets to
> DMZ-Server, you're getting asymmetric routing:
>
>
> => From LOC to DMZ: LOC-client -> Shorewall-GW -> DMZ-server
> => From DMZ to LOC: DMZ-server -> DEF-GW on NET -> Shorewall-GW ->
> LOC-client
>
> and the the "DEF-GW on NET", probably, require some authentication to
> forward traffic. That's why you are popped-up with authentication forms.
>
> By adding the static route, you avoid such HOP and traffic flows
> simmetrically in both directions.
>
> HTH.
>
> Bye,
> DV
>
>
> - --
> Damiano Verzulli
> e-mail: dami...@verzulli.it
> - ---
> possible?ok:while(!possible){open_mindedness++}
> - ---
> "Technical people tend to fall into two categories: Specialists
> and Generalists. The Specialist learns more and more about a
> narrower and narrower field, until he eventually, in the limit,
> knows everything about nothing. The Generalist learns less and
> less about a wider and wider field, until eventually he knows
> nothing about everything." - William Stucke - AfrISPA
> http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (GNU/Linux)
>
> iEYEARECAAYFAlat0SUACgkQcwT9fsMT4SwqYACeNkMLp1kVtUNjxt2wJswrlx5G
> 6wcAn3axw9QIWMd9181ALurftVRczdmt
> =HKGt
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
