Hello, I cannot seem to allow smtp between two servers on my dmz. My dmz has a few hosts proxyarped through the public interface. For diagnostics I have added the the policy: DMZ 2 DMZ ACCEPT. After doing this, /var/log/messages reports "Shorewall:dmz2dmz:REJECT:IN=eth2 OUT=eth2" etc for my smtp connection attempt. If I add a specfic rule, "ACCEPT dmz dmz tcp smtp", the above mentioned rule still denies traffic. What am I missing? I am sure it is a config in a file I dont normally touch. Thanks, Alex
Sorry to have left this out, but it seems to be a one way thing, ie i can scan port 25 from server A to server B, but not to server B from server A. ----- Original Message ----- From: "Alex Martin" <alex@lararium.org> To: <shorewall-users@shorewall.net> Sent: Wednesday, June 05, 2002 10:16 PM Subject: [Shorewall-users] dmz2dmz> Hello, > > I cannot seem to allow smtp between two servers on my dmz. > > My dmz has a few hosts proxyarped through the public interface. > > For diagnostics I have added the the policy: DMZ 2 DMZ ACCEPT. > > After doing this, /var/log/messages reports > "Shorewall:dmz2dmz:REJECT:IN=eth2 OUT=eth2" etc for my smtp connection > attempt. > > If I add a specfic rule, "ACCEPT dmz dmz tcp smtp", the above mentionedrule> still denies traffic. > > What am I missing? I am sure it is a config in a file I dont normallytouch.> > Thanks, Alex > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
> > I cannot seem to allow smtp between two servers on my dmz. >If the connection is between two servers on the same (DMZ) subnet, why would the traffic be going through the fw at all? If you disconnect the fw from the subnet, can the servers communicate properly? If not, it''s not a fw issue. Am I missing something?>[from your 2nd post] >Sorry to have left this out, but it seems to be a one way thing, ie i can >scan port 25 from server A to server B, but not to server B from server A.This would also lead me to believe you may have a server config issue, not a fw issue. Ron
Sorry once again for flooding (sortof) this list, but I have solved the problem. (Thanks Ron Shannon) I had a typo in the nic config specifying too small of a netmask setting. Since I have fixed this it seems to work, though I dont understand where that dmz2dmz rule comes from or why it would apply in this (or any situation) Any clarification on this function? Thanks, Alex ----- Original Message ----- From: "Ron Shannon" <rshannon@cruzcom.com> To: <shorewall-users@shorewall.net> Sent: Wednesday, June 05, 2002 10:29 PM Subject: RE: [Shorewall-users] dmz2dmz> > I cannot seem to allow smtp between two servers on my dmz. >If the connection is between two servers on the same (DMZ) subnet, why would the traffic be going through the fw at all? If you disconnect the fw from the subnet, can the servers communicate properly? If not, it''s not a fw issue. Am I missing something?>[from your 2nd post] >Sorry to have left this out, but it seems to be a one way thing, ie i can >scan port 25 from server A to server B, but not to server B from server A.This would also lead me to believe you may have a server config issue, not a fw issue. Ron _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
> Sorry once again for flooding (sortof) this list, but I have=20 > solved the > problem. (Thanks Ron Shannon)No apology needed. You''re not flooding, the list is quiet anyway... and that''s what the list is for. =20> I had a typo in the nic config specifying too small of a=20 > netmask setting.This is kind of what I suspected. I''m glad you found it so fast.> Since I have fixed this it seems to work, though I dont=20 > understand where that dmz2dmz rule comes from or why it would apply inthis (or any> situation) > Any clarification on this function?Let me ponder this part a bit. If I dilly dally long enough, you''ll probably get a better answer from someone else too. :-)
On Wed, 5 Jun 2002, Alex Martin wrote:> Since I have fixed this it seems to work, though I dont understand where > that dmz2dmz rule comes from or why it would apply in this (or any > situation) >I suspect that you have "multi" specified on your DMZ interface entry in /etc/shorewall/interface. Read FAQ 2 for an explaination of why some people think that it''s cool to route traffic back out the same interface that it came in on... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net