Tom, I’m only getting a redirect message in the Reverse Proxy server’s log:
===== www.foss4climate.org:80 49.199.143.136 - - [21/Feb/2020:10:15:14 +1100] "GET / HTTP/1.1" 302 553 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0" www.foss4climate.org:80 34.229.157.237 - - [21/Feb/2020:10:15:57 +1100] "GET / HTTP/1.1" 302 497 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" ===== I was testing from IP: 49.199.143.136 There was no entry in the Web Server’s log, so the connection wasn’t made. I’m redirecting http traffic to https on the Proxy Server. The (Firefox) browser shows the message ‘Performing TLS handshake to www.foss4climate.org <http://www.foss4climate.org/>…’, then times out. One other aspect that I didn’t mention earlier is that my Firewall’s ‘messages’ and 'kern.log' log files are getting many records such as: ===== Feb 21 10:16:06 fw kernel: [173036.380121] IPv4: martian destination 0.0.0.0 from 49.199.143.136, dev eth0 ===== shorewall.conf has the following log file configuration: LOGFILE=/var/log/messages I understand that the TLS connection should be covered by the http port rules. Kind regards, Bruce > On 21 Feb 2020, at 10:01, Tom Eastep <teas...@shorewall.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 2/20/20 2:22 PM, Bruce Bannerman wrote: >> I did a few tests yesterday with DNAT, SNAT and the current rules. >> >> I stopped and started the shorewall service using 'systemctl >> restart shorewall’ prior to running the tests to create the dump >> file. >> >> I then did a shorewall reload. >> >> I just replaced the ACCEPT with DNAT during the previous tests. >> >> >> The relevant params and rules that I have in place are: >> >> ===== /etc/shorewall/params # E_FW=203.214.66.98 >> E_DNS=203.214.66.100 E_SMTP=203.214.66.100 E_WWW=203.214.66.103 >> E_SMTPS_B=203.214.66.104 E_SMTPS_G=203.214.66.105 >> E_SMTPS_F=203.214.66.106 # >> >> >> /etc/shorewall/rules # # ===== net - Internet ===== # <snip> # >> #ACTION SOURCE DEST >> PROTO DPORT SPORT ORIGDEST # >> ACCEPT:$LOG net dmz:$E_DNS >> udp domain ACCEPT:$LOG net dmz:$E_DNS >> tcp domain # ACCEPT:$LOG net dmz:$E_WWW >> tcp http,https ACCEPT:$LOG net dmz:$E_SMTP >> tcp > smtp >> # ACCEPT:$LOG net dmz:$E_SMTPS_B >> tcp imaps,submissions,submission ACCEPT:$LOG net >> dmz:$E_SMTPS_G tcp imaps,submissions,submission >> ACCEPT:$LOG net dmz:$E_SMTPS_F >> tcp imaps,submissions,submission # <snip> # ===== DMZ ===== # >> #ACTION SOURCE DEST >> PROTO DPORT SPORT ORIGDEST # >> ACCEPT:$LOG dmz net >> udp domain - - ACCEPT:$LOG >> dmz net tcp domain >> - - # ACCEPT:$LOG dmz net >> tcp http,https - - # ACCEPT:$LOG >> dmz net tcp smtp >> - - # ACCEPT:$LOG dmz net >> tcp imaps,submissions,submission - - # <snip> ===== >> > > > Okay -- well, it looks to me as though the reverse proxy is not > initiating the second connection to the web server or that it is > attempting to initiate the connection and is getting an error. Does > its log give you any clue? > > - -Tom > - -- > Tom Eastep \ Q: What do you get when you cross a mobster > Shoreline, \ with an international standard? > Washington, USA \ A: Someone who makes you an offer you > http://shorewall.org <http://shorewall.org/> \ can't understand > \________________________________________ > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/> > > iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5PD9QACgkQluaz8kI6 > TRDYqxAAmundK8kU+NUVnIlOi61o+7VhswXvdr1spIoSBkGF0knxd5NfGx1xENcP > W1b0dvoBDsO3hKYBDbKcpGcVwMPC6QcHI0hSqG0NXi3QLIf/1hU+cuETmTqqyXLj > Y2samDrp0AdGCEJvt+42kUl/ahNHIAvTpeinoFH/Bpnez8BEHsOZ0H1x/gGM+P/E > X2P7PXrfL+fjUMoVJWfoUz95ZSNW3erK2kbl3Ipv5uyAdwsjUKrQJq6Q/VC+VDZx > 60QSrpXndq/6YfrVVWj+AJhUjGf1YffRTjdAsFrX3uoHlpHyRm+Ixw87fG+b5Qqc > HoXgpP1OT9I79q+JGwEkz7zhkeg5zwYwv/wQgnIj0u/iGZyIXYcxjUKFFFZjujS6 > tnojP2c+vL5l3zYCzWT/pBUHSv1gjertxz6LfIqd0/HwkAgvjRYyq61TaHqz/Gti > D6UqpL4RvgKvKz59VbIxf/3NP0vjoA0zBYDX9fQwHMsNMQrB2k/R/PcK41ZOIEf6 > CpYuLrGhCLOJxTbSFqafyMYf+uM06x7DcXuHV3DlXoHa2gi0UkCaXMVknBSsotl7 > 56I7GU1yr7VyO96Pq8tBsQDmJZG15+ijm2ijU//Y/Fs6ruofC2nX2Xfff7/IcvHb > sW0GFSLm5qC75gbKIV62Hoa0eVkaPJSfWK8ztPLknwHdtFLBwtQ= > =Lt9f > -----END PGP SIGNATURE----- > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > <mailto:Shorewall-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/shorewall-users > <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
