Hello,
We have a video conference server using tcp and udp 3001 prot in internal,
external user said that can''t connect to video server and held on
3001 fail,
the following is file configuration,
nat: 1.2.3.4 eth1:3 192.168.0.18
rule: video/ACCEPT net loc:192.168.0.18
marco.video:
PARAM - - tcp 3000
PARAM - - udp 3000
PARAM - - tcp 3001
PARAM - - udp 3001
PARAM - - tcp 3003
PARAM - - udp 3003
PARAM - - tcp 3005
PARAM - - udp 3005
PARAM - - tcp 3009
PARAM - - udp 3009
PARAM - - tcp 8080
---------------------------------
對Yahoo! Mail 有任何意見或建議,請 聯絡我們
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
On 10/26/07, Wilson Kwok <leiw324@yahoo.com.hk> wrote:> Hello, > > We have a video conference server using tcp and udp 3001 prot in > internal, > external user said that can't connect to video server and held on 3001 fail, > the following is file configuration, > > nat: 1.2.3.4 eth1:3 192.168.0.18Is this some form of masq rule in the shorewall masq file?> rule: video/ACCEPT net loc:192.168.0.18You need a DNAT, not an accept. And I'd write it as DNAT net loc:192.168.0.18 tcp 3000,3002... Prasanna.> > marco.video: > > PARAM - - tcp 3000 > PARAM - - udp 3000 > PARAM - - tcp 3001 > PARAM - - udp 3001 > PARAM - - tcp 3003 > PARAM - - udp 3003 > PARAM - - tcp 3005 > PARAM - - udp 3005 > PARAM - - tcp 3009 > PARAM - - udp 3009 > PARAM - - tcp 8080 > > > > > ________________________________ > 對Yahoo! Mail 有任何意見或建議,請 聯絡我們 > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- www.elinanetworks.com Seamless, secure delivery of applications. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
> rule: video/ACCEPT net loc:192.168.0.18You need a DNAT, not an accept. Why I need use DNAT? others rules no need to do that Prasanna Krishnamoorthy <prasanna79@gmail.com> 說: On 10/26/07, Wilson Kwok wrote:> Hello, > > We have a video conference server using tcp and udp 3001 prot in > internal, > external user said that can''t connect to video server and held on 3001 fail, > the following is file configuration, > > nat: 1.2.3.4 eth1:3 192.168.0.18Is this some form of masq rule in the shorewall masq file?> rule: video/ACCEPT net loc:192.168.0.18You need a DNAT, not an accept. And I''d write it as DNAT net loc:192.168.0.18 tcp 3000,3002... Prasanna.> > marco.video: > > PARAM - - tcp 3000 > PARAM - - udp 3000 > PARAM - - tcp 3001 > PARAM - - udp 3001 > PARAM - - tcp 3003 > PARAM - - udp 3003 > PARAM - - tcp 3005 > PARAM - - udp 3005 > PARAM - - tcp 3009 > PARAM - - udp 3009 > PARAM - - tcp 8080 > > > > > ________________________________ > 對Yahoo! Mail 有任何意見或建議,請 聯絡我們 > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- www.elinanetworks.com Seamless, secure delivery of applications. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- 對Yahoo! Mail 有任何意見或建議,請 聯絡我們 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On 10/26/07, Wilson Kwok <leiw324@yahoo.com.hk> wrote:> > rule: video/ACCEPT net loc:192.168.0.18 > You need a DNAT, not an accept. > > Why I need use DNAT? others rules no need to do thatRead http://shorewall.net/two-interface.htm#DNAT If you want to do a port-forward you need a DNAT. If the destination port is on the firewall, then you need only an accept. Prasanna.> > Prasanna Krishnamoorthy <prasanna79@gmail.com> 說: > On 10/26/07, Wilson Kwok wrote: > > Hello, > > > > We have a video conference server using tcp and udp 3001 prot in > > internal, > > external user said that can't connect to video server and held on 3001 > fail, > > the following is file configuration, > > > > nat: 1.2.3.4 eth1:3 192.168.0.18 > Is this some form of masq rule in the shorewall masq file? > > > rule: video/ACCEPT net loc:192.168.0.18 > You need a DNAT, not an accept. > > And I'd write it as > > DNAT net loc:192.168.0.18 tcp 3000,3002... > > Prasanna. > > > > marco.video: > > > > PARAM - - tcp 3000 > > PARAM - - udp 3000 > > PARAM - - tcp 3001 > > PARAM - - udp 3001 > > PARAM - - tcp 3003 > > PARAM - - udp 3003 > > PARAM - - tcp 3005 > > PARAM - - udp 3005 > > PARAM - - tcp 3009 > > PARAM - - udp 3009 > > PARAM - - tcp 8080 > > > > > > > > > > ________________________________ > > 對Yahoo! Mail 有任何意見或建議,請 聯絡我們 > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > -- > www.elinanetworks.com > Seamless, secure delivery of applications. > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> > http://get.splunk.com/_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ________________________________ > 對Yahoo! Mail 有任何意見或建議,請 聯絡我們 > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- www.elinanetworks.com Seamless, secure delivery of applications. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Prasanna Krishnamoorthy wrote:> On 10/26/07, Wilson Kwok <leiw324@yahoo.com.hk> wrote: >>> rule: video/ACCEPT net loc:192.168.0.18 >> You need a DNAT, not an accept. >> >> Why I need use DNAT? others rules no need to do that > Read > http://shorewall.net/two-interface.htm#DNAT > > If you want to do a port-forward you need a DNAT. If the destination > port is on the firewall, then you need only an accept. > > Prasanna. > >> Prasanna Krishnamoorthy <prasanna79@gmail.com> 說: >> On 10/26/07, Wilson Kwok wrote: >>> Hello, >>> >>> We have a video conference server using tcp and udp 3001 prot in >>> internal, >>> external user said that can''t connect to video server and held on 3001 >> fail, >>> the following is file configuration, >>> >>> nat: 1.2.3.4 eth1:3 192.168.0.18 >> Is this some form of masq rule in the shorewall masq file?It''s an entry in the /etc/shorewall/nat file. It says that external IP 1.2.3.4 on eth1 is to be bi-directionally mapped to internal address 192.168.0.18. In this case, ACCEPT rules are correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Wilson Kwok wrote:> Hello, > > We have a video conference server using tcp and udp 3001 prot in > internal, > external user said that can''t connect to video server and held on 3001 fail,Are you seeing any ''Shorewall'' log messages when this fails? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
hello, Sorry for the late reply, I can''t see any fail log when external client access to that video conference server. Thx Tom Eastep <teastep@shorewall.net> 說: Wilson Kwok wrote:> Hello, > > We have a video conference server using tcp and udp 3001 prot in > internal, > external user said that can''t connect to video server and held on 3001 fail,Are you seeing any ''Shorewall'' log messages when this fails? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- 對Yahoo! Mail 有任何意見或建議,請 聯絡我們 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Hello,
I can''t see any fail log when external client access to those
ports
Tom Eastep <teastep@shorewall.net> 說:
Wilson Kwok wrote:> Hello,
>
> We have a video conference server using tcp and udp 3001 prot in
> internal,
> external user said that can''t connect to video server and held on
3001 fail,
Are you seeing any ''Shorewall'' log messages when this fails?
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>
http://get.splunk.com/_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
---------------------------------
對Yahoo! Mail 有任何意見或建議,請 聯絡我們
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wilson Kwok wrote:> Hello, > > I can''t see any fail log when external client access to those ports >Then I guess that you are going to have to analyze the problem with tcpdump or Wireshark. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHK2XvO/MAbZfjDLIRAvepAJ9orZ9JtdQxq6Vs+Xym7guv68AujQCfYsem BJGr7MhUu7hTMmAsM738AO4=Q3mN -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Hello,
Can you tell me how to use tcpdump ?
Thx
Tom Eastep <teastep@shorewall.net> 說:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wilson Kwok wrote:> Hello,
>
> I can''t see any fail log when external client access to those
ports
>
Then I guess that you are going to have to analyze the problem with
tcpdump or Wireshark.
- -Tom
- --
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFHK2XvO/MAbZfjDLIRAvepAJ9orZ9JtdQxq6Vs+Xym7guv68AujQCfYsem
BJGr7MhUu7hTMmAsM738AO4=Q3mN
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>
http://get.splunk.com/_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
---------------------------------
對Yahoo! Mail 有任何意見或建議,請 聯絡我們
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
On Sat, Nov 03, 2007 at 11:09:02PM +0800, Wilson Kwok wrote:> Hello, > > Can you tell me how to use tcpdump ? > > Thx >Try ''man 8 tcpdump'' Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/