Tom,
Thanks for the tip regarding the dodgy router/modem.
I have now replaced it and run another set of tests:
- I’m still set up using the router/modem port forward configuration.
- All tests appeared to work OK: domain, smtp, smtps, msa, imaps, http, https
- I did not see any martian destination packets.
I’ve included shorewall_dump-4 below.
For the next test, I’ll:
- remove the router/modem port forwarding.
- reset my name servers to use my /28 subnet and try again going directly to my firewall and shorewall config.
IP Addresses used for test 4:
203.214.66.97 external router/modem gateway (internal interface) 203.214.66.100 nameserver,smtp 203.214.66.104 mail 203.214.66.103 Reverse Proxy Server 172.16.4.203 Web Server 49.183.57.44 Laptop’s updated IP address
Kind regards,
Bruce
|
shorewall_dump-4.tar.gz
Description: GNU Zip compressed data
Regarding Martian packets: Yes, I’m still seeing many of them under the router/modem port forward configuration. I’ll replace my modem tomorrow and try again. Thanks for the pointer. Kind regards, Bruce On 23 Feb 2020, at 5:21 am, Tom Eastep <teas...@shorewall.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2/21/20 12:20 PM, Bruce Bannerman wrote:
Hi Tom,
I have some partial improvement that may help.
I have:
* reset my nameserver to point each of my ‘servers’ to the IP
address of the external interface of my external router/modem. * on
the external router/modem, I configured WAN Port Forwarding to
point to several of the same /28 subnet external addresses as per
my previous emails: o http, https 203.214.66.103
o smtp 203.214.66.100 o smtps, msa, imaps
203.214.66.104 * made no changes to my shorewall configuration. *
made no changes to the network addresses or routing configuration
of my servers. * made no changes to my web server, or reverse proxy
server
configuration.
When testing externally I can now access the website at
www.foss4climate.org <http://www.foss4climate.org>. However, access
is considerably slower than normal.
NB: These tests were conducted soon after I made my nameserver
changes. While my laptop’s nameserver could get the correct URL for
the website. it had not picked up the correct URL for my mail
servers. So ignore the mail related connections.
Also note that my shorewall configuration does not take account of
the router/modem's external interface, or IP address. It just
accounts for the modem’s internal IP Address.
Shorewall Dump for test 3 is attached.
IP Addresses in test 3:
203.214.66.97external router/modem gateway (internal interface)
203.214.66.103Reverse Proxy Server 172.16.4.203Web Server
49.199.104.114Laptop’s updated IP address
Is seems to me that from the Shorewall box's point of view, this
configuration should be no difference that the one where DNS resolves
to the actual server addresses - by the time that packets reach the
Shorewall system, they should look the same. Are you still seeing
martian packets with this configuration?
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5RcNYACgkQluaz8kI6
TRAXCxAAjY0ssYEUm1fVlBxYYmdnsXWyfkHjzupCFMxOMvpeCa1kUcm1ziKy4kMF
uBbaU7/LqlUkckWUTAUlo1BrKk5qeZThfNrvcnZgychk74e5RPNUwjGw3Kmz44Vl
RaEsApSmZrHwT4SJWdn82OJ8NH8PJA9aBVkOoDFb8yEUcE92PVJQzKoRB4OmoCJO
tpRwbG2ptodLxi6DAZMklM18qkY81RxuVhyun7BTr9rVNZHQw5szD13t18ijDP3j
QWFS2R0gre/abKrvSZPStE+lnLk0s83lMmELvBj9FT1zOw/WKLwwmvdEoGWGsYSo
QDkr+h3KPrAnF8b6rF0Lj9oyQA+ofukv/G0E0iqy+5U2IhMsICPANsOirQr2UPXy
kAq+VRwtwu8wQkQBrCdkBBZ8mJuLpnaeQs9OOzWIguMXcMNyq4cJL4Gx9OrGt4kD
z4ZMEFbInap+AVoqz+Rf2oEKeue0PQhrC5vTJEJDoQTblcoG+ZVRO0X8j4rsN9lG
Hw1TKctpKVAlRkYX/nyatFlgxYkS9AQ8jlNjWXYX9qXVDZmUvwSPqnVnYqDEmV8s
L0JscT9xXGyCuYj/o0VRwWoYvrPOc13czGJzysg2z+uOKZKSCfvUfrcOc2jUC9fx
12q+lYv7cDpzD2/n+cOD8b9UJM2Imu/5tVmRgyoNmRvgxkHBRQk=
=iAio
-----END PGP SIGNATURE-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
|
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
