Hi James,
Hate to top post but I wanted to leave the relevant info untouched. Is
this just releated to proxied traffic. Or is it any layer7 traffic that
can''t get out.
Not being a Shorewall guru I would immediately packet sniff off the DMZ
router that brings the remote traffic into the DMZ as well to try and
see what happens with a normal unproxied connection versus a proxied
connection.
With a quick tcp dump or packet sniff off of the dmz router you should
be able to tell if a 3 way tcp handshake is being made. Are packets
getting out and then not getting back or are the packets even getting
to the firewall what so ever. You don''t elude to this.
I wish I had a better response but I don''t see anyone replying so I
thought that I would throw my 2 pennies in just to stir up some
thoughts.
Is the router in the dmz doing NAT for traffic that leaves the remote
network out through the dmz router to the internet??
Any logging that you have from shorewall turned on will help.
Thanks,
Joshua Banks
--- james lopez <james.lopez@ecof.com> wrote:> Greetings,
>
> I have a 3 interface firewall that for the most part has been working
> fine.
> But we are experiencing intermittent problems with computers on a
> different
> subnet when they attempt to connect to the Internet via a "Wingate
> Internet
> Proxy server" that is contained within a DMZ. Workstations within
> that
> Subnet have to go through a router with the following IP 192.168.96.1
> which
> in turn communicates with the router across the street on subnet
> 192.168.5.1. So the problem that keeps occurring is that when a
> person
> opens their browser to access the Internet there are times that the
> page
> will load and sometimes not. There seems to be no consistency in why
> access
> to the Internet will sometimes operate with no problems but sometimes
> not.
>
> Since we use a proxy server for access to the Internet, all of the
> web
> browsers on the workstations have been programmed to point straight
> to the
> IP address of the DMZ interface which the firewall forwards all
> requests on
> port 8080 to server in the DMZ. Workstations on the main subnet
> location of
> 192.168.5.1, that houses the firewall and proxy server does not have
> problems whatsoever with being able to access the internet. Its
> appears to
> me that packets traveling on port 8080 between subnets 192.168.96.1
> &
> 192.168.5.1 are being dropped for some reason.
>
> This was not always the case even before we had a firewall in place,
> before
> the firewall all requests to port 8080 which pointed to the Internet
> Proxy
> always came through with no problems whatsoever. I''m not sure if
it''s
> a
> routing issue on the Linux box or perhaps i''m missing some type of
> rule on
> the firewall. Any help would GREATLY be appreciated.
>
> Sincerely,
> James
>
>
> Redhat Linux 7.2
>
> Shorewall version 1.4.6b
>
> ip addr show
>
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:c0:df:e7:87:c7 brd ff:ff:ff:ff:ff:ff
> inet 65.115.171.251/29 brd 65.115.171.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:50:ba:ad:69:8c brd ff:ff:ff:ff:ff:ff
> inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:10:4b:c6:f2:8a brd ff:ff:ff:ff:ff:ff
> inet 192.168.5.184/24 brd 192.168.5.255 scope global eth2
>
>
> ip route show
>
> 65.115.171.252 dev eth1 scope link
> 65.115.171.250 dev eth1 scope link
> 65.115.171.248/29 dev eth0 scope link
> 192.168.85.0/24 via 192.168.5.1 dev eth2
> 192.168.5.0/24 dev eth2 scope link
> 192.168.36.0/24 via 192.168.5.1 dev eth2
> 192.168.71.0/24 via 192.168.5.1 dev eth2
> 192.168.20.0/24 via 192.168.5.1 dev eth2
> 192.168.65.0/24 via 192.168.5.1 dev eth2
> 192.168.96.0/24 via 192.168.5.1 dev eth2
> 192.168.2.0/24 dev eth1 scope link
> 192.168.80.0/24 via 192.168.5.1 dev eth2
> 192.168.150.0/24 via 192.168.5.1 dev eth2
> 192.168.17.0/24 via 192.168.5.1 dev eth2
> 192.168.67.0/24 via 192.168.5.1 dev eth2
> 192.168.82.0/24 via 192.168.5.1 dev eth2
> 192.168.15.0/24 via 192.168.5.1 dev eth2
> 192.168.14.0/24 via 192.168.5.1 dev eth2
> 192.168.63.0/24 via 192.168.5.1 dev eth2
> 192.168.60.0/24 via 192.168.5.1 dev eth2
> 192.168.45.0/24 via 192.168.5.1 dev eth2
> 192.168.42.0/24 via 192.168.5.1 dev eth2
> 192.168.40.0/24 via 192.168.5.1 dev eth2
> 192.168.75.0/24 via 192.168.5.1 dev eth2
> 192.168.41.0/24 via 192.168.5.1 dev eth2
> 127.0.0.0/8 dev lo scope link
> default via 65.115.171.249 dev eth0
>
>
> ATTACHMENT part 2 application/octet-stream name=Status.txt
> ATTACHMENT part 3 application/octet-stream name=Shorewall
Interfaces.txt
> ATTACHMENT part 4 application/octet-stream name=shorewall rules.txt
> ATTACHMENT part 5 application/octet-stream name=shorewall policy.txt
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree