Some probably wish v1.2.12-2 out of Debian Woody would just go away, but it''s what I''m using and really don''t wish to upgrade at this time (but will eventually). My needs are rather simple and I''m sure it can handle the job. I''ve read and re-read the FAQs and searched extensively for docs on what my problem might be, but just cannot put my finger on it. I''m running a 3-NIC box, with zones: net (eth0), loc (eth1), dmz (eth2). I''m putting up a web server in the DMZ, at 192.168.2.1. I have a static IP address. The internet comes in through an Actiontec 1524 DSL gateway that has ports 80 and 443 forwarded to the the firewall, at 192.168.0.15 (net, eth0). I cannot seem to get access to the web server. Using tcpdump on the firewall on eth0, I cannot see port 80 requests, but can see 443 requests (I''m thinking the ISP might have port 80 blocked). No activity is seen on the DMZ interface of the firewall, because it''s dropping packets. Here is what is being reported in dmesg: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:00:21:e2:20:e1:00:20:e0:45:ed:c0:08:00 SRC=65.19.222.32 DST=192.168.0.15 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=16645 DF PROTO=TCP SPT=1180 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 Here is what is in the ''rules'' file: ACCEPT net dmz:192.168.2.1 tcp www,https - www.xxx.yyy.zzz where www.xxx.yyy.zzz is my static IP address. Here is what is in the ''policy'' file: loc net ACCEPT net all DROP info fw net REJECT info all all REJECT info Can someone possibly explain why my packets are being dropped and not being routed to the DMZ? I tried adding a ''net dmz ACCEPT'' line before the ''net all DROP'' line, but it had no effect. Thank you.
Neptune wrote:> Some probably wish v1.2.12-2 out of Debian Woody would just go awayIt has as far as I am concerned -- I haven''t answered problem reports regarding that release for a couple of years. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 04.04.2005 01:16, Neptune wrote:>I''m running a 3-NIC box, with zones: net (eth0), loc (eth1), dmz (eth2). I''m >putting up a web server in the DMZ, at 192.168.2.1. I have a static IP >address. The internet comes in through an Actiontec 1524 DSL gateway that >has ports 80 and 443 forwarded to the the firewall, at 192.168.0.15 (net, >eth0). > > >Why do you forward to your firewall, and not to your webserver? I could imagine 2 setups: a) configure the firewall as a bridge, and forward from the DSL gateway to the webserver b) forward to the firewall, and forward there to the webserver /ben
Ben Greiner wrote:> On 04.04.2005 01:16, Neptune wrote: > >> I''m running a 3-NIC box, with zones: net (eth0), loc (eth1), dmz >> (eth2). I''m putting up a web server in the DMZ, at 192.168.2.1. I >> have a static IP address. The internet comes in through an Actiontec >> 1524 DSL gateway that has ports 80 and 443 forwarded to the the >> firewall, at 192.168.0.15 (net, eth0). >> >> >> > Why do you forward to your firewall, and not to your webserver?Sounds like he has two NATing routers configured in tandem (the Shorewall box is behind his DSL gateway that also does NAT). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
But there is an ACCEPT rule in the rules file, but not a DNAT ... /ben On 04.04.2005 02:25, Tom Eastep wrote:>Ben Greiner wrote: > > >>On 04.04.2005 01:16, Neptune wrote: >> >> >> >>>I''m running a 3-NIC box, with zones: net (eth0), loc (eth1), dmz >>>(eth2). I''m putting up a web server in the DMZ, at 192.168.2.1. I >>>have a static IP address. The internet comes in through an Actiontec >>>1524 DSL gateway that has ports 80 and 443 forwarded to the the >>>firewall, at 192.168.0.15 (net, eth0). >>> >>> >>> >>> >>> >>Why do you forward to your firewall, and not to your webserver? >> >> > >Sounds like he has two NATing routers configured in tandem (the >Shorewall box is behind his DSL gateway that also does NAT). > >-Tom > >
Ben Greiner wrote:> But there is an ACCEPT rule in the rules file, but not a DNAT ... >One more reason not to support old releases; discussing problems involving them confuses everyone on the list who never had to suffer through them. There were no ''DNAT'' rules in 1.2.12 -- Port forwarding was done using a variation of the ACCEPT action. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Apr 3, 2005 7:16 PM, Neptune <neptune@onewest.net> wrote:> Some probably wish v1.2.12-2 out of Debian Woody would just go away, but it''s > what I''m using and really don''t wish to upgrade at this time (but will > eventually). My needs are rather simple and I''m sure it can handle the job. >please get an upgrade, Its a very simple process.