Hello i''m using Shorewall v2.2.2 on Fedora Core-3. every funtions that i wanted is working well but when i checked my p2p compatiblity on a local machine(local,dmz zones) the loopback translation (tcp/udp) doesn''t work. i used this tool to check. http://midcom-p2p.sourceforge.net/ and the local system is windows based. note that other fuctions on that system is WORKING. below are the check results of my local machine. ===========================================================TCP RESULTS: TCP consistent translation: YES (GOOD for peer-to-peer) TCP simultaneous open: YES (GOOD for peer-to-peer) TCP loopback translation: NO (BAD for P2P over Twice-NAT) TCP unsolicited connections filtered: YES (GOOD for security) UDP RESULTS: UDP consistent translation: YES (GOOD for peer-to-peer) UDP loopback translation: NO (BAD for P2P over Twice-NAT) UDP unsolicited messages filtered: YES (GOOD for security) =========================================================== i''ve tried to put the local system to dmz zone. but still doesn''t working. even i forwarded every ports using DNAT it doesn''t work. how can i get loopback translation working? below are my policy settings ------------------------------------------------------------------------------------------------------------------------ #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw all ACCEPT dmz all ACCEPT local all ACCEPT net dmz ACCEPT net all DROP all all DROP ------------------------------------------------------------------------------------------------------------------------ thank for your support.
Paradox wrote:> > i''ve tried to put the local system to dmz zone. > but still doesn''t working. even i forwarded every ports using DNAT > it doesn''t work. how can i get loopback translation working? >a) Take out ALL of the rules/policies that you added trying to make this work. b) Try the Loopback test. c) LOOK AT YOUR LOG. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Please keep this on the list -- I don''t want to have to go through this again when someone else has a question about ''natcheck''. Paradox wrote:> You meant remove ''DROP'' things at policy, right? > so my policy looks like this. > > fw all ACCEPT > local all ACCEPT > net all ACCEPT > > there''s no DROP things, and ''rules'' are clean > but the natcheck(p2p compatibility check tool) result is same..Please: a) Uninstall Shorewall b) Reinstall Shorewall and configure it following the appropriate Quickstart Guide (http://shorewall.net/shorewall_quickstart_guide.htm). Do not add or remove any policies or rules except as directed in the guide. Get everything working but DO NOT ADD OR DELETE ANYTHING TO TRY TO GET natcheck TO WORK. In particular do not delete the DROP or REJECT policies; they HELP YOU DEBUG THESE KINDS OF PROBLEMS and removing them makes it harder to debug rather than easier (as you are finding out). c) Run natcheck. d) Look at the output of "shorewall show log". If Shorewall is blocking something that ''natcheck'' needs, it will likely be in the log. If you can''t find the problem then when you respond to the list, please direct us the the URL that describes the firewall considerations for whatever product ''natcheck'' is part of. I''ve never heard of the thing so showing me the output from it is useless. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > If you can''t find the problem then when you respond to the list, please > direct us the the URL that describes the firewall considerations for > whatever product ''natcheck'' is part of. I''ve never heard of the thing so > showing me the output from it is useless.I''ve performed this same test (natcheck) on one of my systems here with the same result that you are seeing. I don''t know any way to configure Netfilter SNAT differently that will change this result. Sorry, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key