Craig M. Nicholson
2006-Oct-11 07:42 UTC
Re: Multi ISP - possible bug in incomingconnections
Hi Tom,> Sorry -- I can''t comment without seeing a ''shorewall dump'' collectedas> described in great detail at > http://www.shorewall.net/support.htm#guidelines. Also:Yeah I understand that but my dump is really large, complicated and might contain business sensitive information which I don''t feel is a good idea to place on a public mailing list.> a) Why are you specifying ''loose''?The providers file documents the loose option as: "Normally, Shorewall adds routing rules to prohibit firewall marks from working with traffic generated on the firewall itself. By setting the ''loose'' option, generation of these rules is avoided." If I am interpreting this correctly the loose option is needed if you want to mark traffic originating on the firewall itself. I use this to force certain of my squid traffic (originating on the firewall itself) out of my eth1 interface and the remainder out of my ppp0 interface.> b) Where does this FTP server run? The firewall? In a local network?The FTP server runs on the firewall.> c) Is it the responses to the control connection (TCP port 21) that goout> via eth1 or is it active mode connections from the server back to the > client that go out via eth1?It''s the actual TCP session that is never established from the FTP client perspective. So yes it is the control connection that has the problem. A telnet to the firewall''s FTP port from the Internet doesn''t result in an established connection. Regards, - Craig. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Craig M. Nicholson wrote:> Hi Tom, > >> Sorry -- I can''t comment without seeing a ''shorewall dump'' collected > as >> described in great detail at >> http://www.shorewall.net/support.htm#guidelines. Also: > > Yeah I understand that but my dump is really large, complicated and > might contain business sensitive information which I don''t feel is a > good idea to place on a public mailing list. > > >> a) Why are you specifying ''loose''? > > The providers file documents the loose option as: > > "Normally, Shorewall adds routing rules to prohibit firewall marks from > working with traffic generated on the firewall itself. By setting the > ''loose'' option, generation of these rules is avoided." > > If I am interpreting this correctly the loose option is needed if you > want to mark traffic originating on the firewall itself. I use this to > force certain of my squid traffic (originating on the firewall itself) > out of my eth1 interface and the remainder out of my ppp0 interface.Don''t know what version of the code you are running but the current providers file doesn''t say that. Here''s what the Multi-ISP documentation says: loose Do not include routing rules that force traffic whose source IP is an address of the INTERFACE to be routed to this provider. Useful for defining providers that are to be used only when the appropriate packet mark is applied. If you get rid of ''loose'', it should work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642