Dear Lists. I use shorewall-14.7 at ReHat-9.0 (2.4.26 with Julian Anastasov Patch) for quite long, and everything seem work fine. Untill this morning, i have problem with one rules ACCEPT loc:172.16.0.20,172.16.32.20,172.16.0.230,172.16.0.229,172.16.0.231 net udp 53 - 172.16.0.229 and 172.16.0.231 is my mail gateway (DNAT). DNS server is outside the firewall, Now, the rule stop working for sometime, my mail gateway couldnt resolve any hostname anymore. but when i restart shorewall, it''s work , just for while, and so on. what happened to my shorewall ? log from kernel seem fine Aug 3 17:51:51 fw kernel: Shorewall:loc2net:ACCEPT:IN=eth0 OUT=eth2 SRC=172.16.0.229 DST=202.x.x.x LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=31630 PROTO=UDP SPT=51468 DPT=53 LEN=57 please help me.. regards reza
Muhammad Reza wrote: (DNAT).> > DNS server is outside the firewall, > Now, the rule stop working for sometime, my mail gateway couldnt resolve > any hostname anymore.Now all connectivity problems are firewall problems.> but when i restart shorewall, it''s work , just for while, and so on. > > what happened to my shorewall ?Nothing is wrong with Shorewall. Once "shorewall restart" completes, Shorewall is finished with its job. If everything works after that then what can possibly be wrong in Shorewall? log from kernel seem fine> > Aug 3 17:51:51 fw kernel: Shorewall:loc2net:ACCEPT:IN=eth0 OUT=eth2 > SRC=172.16.0.229 DST=202.x.x.x LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=31630 > PROTO=UDP SPT=51468 DPT=53 LEN=57 > > please help me..Since you have convinced yourself that traffic is being passed from the client to through the firewall, then the problem must be somewhere else right? I would use tcpdump and try to determine where the problem is. Also look at your system log -- are you seeing any messages about your connection tracking table being full and packets being dropped? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Muhammad Reza wrote: > > (DNAT). > >> >> DNS server is outside the firewall, >> Now, the rule stop working for sometime, my mail gateway couldnt >> resolve any hostname anymore. > > > Now all connectivity problems are firewall problems.just another analysis....> >> but when i restart shorewall, it''s work , just for while, and so on. >> >> what happened to my shorewall ? > > > Nothing is wrong with Shorewall. Once "shorewall restart" completes, > Shorewall is finished with its job. If everything works after that > then what can possibly be wrong in Shorewall?Now i''m doing major upgrade to latest stable version (2.0.7)> > log from kernel seem fine > >> >> Aug 3 17:51:51 fw kernel: Shorewall:loc2net:ACCEPT:IN=eth0 OUT=eth2 >> SRC=172.16.0.229 DST=202.x.x.x LEN=77 TOS=0x00 PREC=0x00 TTL=63 >> ID=31630 PROTO=UDP SPT=51468 DPT=53 LEN=57 >> >> please help me.. > > > Since you have convinced yourself that traffic is being passed from > the client to through the firewall, then the problem must be somewhere > else right? I would use tcpdump and try to determine where the problem > is.> > Also look at your system log -- are you seeing any messages about your > connection tracking table being full and packets being dropped?how to see that my connection tracking table is full ? Great thanks lists> > -Tomregard reza