Shorewall users - Jul 2002 - New Firewall Problem

Ok, I am typing this all again as I lost my original
message...:-(

I have a number of pieces of a mystery on my hands and
hope someone can help me analyze all this and find a
solution:

I just built a new shorewall firewall on a P120
running RedHat 7.3, Kernel 2.4.18-5 with shorewall
1.3.4.

I can connect to our local library catalog from work
great and can retrieve and send info to this Dynix
Java based system (send is needed to place holds on
material etc).
>From home with my old shorewall firewall I was off and
on able to send to it and never got time to look into
it until now. 

The old firewall was a 486 with RedHat 7.1, Kernel
2.4.9-34 running shorewall 1.2.8.

The FAQ for the library catalog says to "Ask your
computer people to open firewall ports TCP/9090,
TCP/5050 in addition to the regular port TCP/80 that
will already be open so you can visit the Internet . 

The Catalogue is a software product which works from a
specific port." How can I do this in shorewall and are
there any risks doing so? Is this maybe why it worked
sometimes and not others?

With the new firewall I can''t even get to the site:

If I traceroute from work I get this and all works
perfectly:

-cut-
U:>tracert calgarypubliclibrary.com

Tracing route to calgarypubliclibrary.com
[207.34.115.132]
over a maximum of 30 hops:

  1   <10 ms   <10 ms   <10 ms 
locutus.enel.ucalgary.ca [136.159.102.1]
  2   <10 ms   <10 ms   <10 ms  192.168.102.1
  3   <10 ms   <10 ms   <10 ms  192.168.47.1
  4   <10 ms   <10 ms   <10 ms  192.168.3.25
  5   <10 ms   <10 ms   <10 ms 
clgrabezdr01.bb.telus.com [205.233.111.65]
  6   <10 ms   <10 ms    16 ms  192.168.10.43
  7    63 ms   <10 ms    16 ms 
www.calgarypubliclibrary.com [207.34.115.132]

Trace complete.
-cut-
>From Home with the old ffirewallmy trace mostly works
and the site loads and the catalog works off and on
two way (as noted above):

-cut-
u:>tracert calgarypubliclibrary.com

Tracing route to calgarypubliclibrary.com
[207.34.115.132]
over a maximum of 30 hops:

  1    21 ms     1 ms     1 ms  192.168.0.254
  2    14 ms    13 ms     *    
clgrab46ar02.ab.tac.net [209.115.152.19]
  3    14 ms    13 ms    14 ms 
clgrab01dr00.bb.telus.com [209.115.152.72]
  4    14 ms    13 ms    14 ms 
clgrabezdr01.bb.telus.com [208.38.16.129]
  5     *        *        *     Request timed out.
  6    24 ms    66 ms    38 ms 
www.calgarypubliclibrary.com [207.34.115.132]

Trace complete.
-cut-

With the new fifirewally trace looks like this:

-cut-
u:>tracert calgarypubliclibrary.com

Tracing route to calgarypubliclibrary.com
[207.34.115.132]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.0.254
  2    25 ms     *       12 ms 
clgrab46ar02.ab.tac.net [209.115.152.19]
  3    12 ms    13 ms    12 ms 
clgrabezdr00.bb.telus.com [209.115.223.167]
  4    13 ms    12 ms    13 ms 
clgrabezdr01.bb.telus.com [208.38.16.129]
  5    14 ms    14 ms    14 ms  192.168.10.43
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.
8
etc, etc, with the timouts...

-cut-

With a browser I can not connect to the catalog or the
site. Squid teltell:

-cut-
ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL:
http://calgarypubliclibrary.com/ 

The following error was encountered: 

Zero Sized Reply 
Squid did not receive any data for this request. 

--------------------------------------------------------------------------------
-cut-

If I had norfc1918 turned on for eth0 on my trace
stopped at hop 4. 

By accident I noticed if I telnet to
calgarypubliclibrary.com I get a banner:

-cut-
Raptor Firewall Secure Gateway.

Hostname:
-cut-

One thing I just noticed is the old firewall gets an
IP of 142.173.131.108 and the new box gets an IP of
205.206.96.221.

Well hop somsomeonen help me fix this.





====Randy Millis 
Calgary, Alberta 
Canada 
E-mail: randy.millis@telusplanet.net

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

Resolved most of the issue.

ISP said there are weird issues with the "new"
205.206.xx.xx IP block.

Would still like to know about how to open the ports

--- Randy Millis <rmillis@yahoo.com> wrote:
> Ok, I am typing this all again as I lost my original
> message...:-(
> 
> I have a number of pieces of a mystery on my hands
> and
> hope someone can help me analyze all this and find a
> solution:
> 
> I just built a new shorewall firewall on a P120
> running RedHat 7.3, Kernel 2.4.18-5 with shorewall
> 1.3.4.
> 
> I can connect to our local library catalog from work
> great and can retrieve and send info to this Dynix
> Java based system (send is needed to place holds on
> material etc).
> 
> From home with my old shorewall firewall I was off
> and
> on able to send to it and never got time to look
> into
> it until now. 
> 
> The old firewall was a 486 with RedHat 7.1, Kernel
> 2.4.9-34 running shorewall 1.2.8.
> 
> The FAQ for the library catalog says to "Ask your
> computer people to open firewall ports TCP/9090,
> TCP/5050 in addition to the regular port TCP/80 that
> will already be open so you can visit the Internet .
> 
> 
> The Catalogue is a software product which works from
> a
> specific port." How can I do this in shorewall and
> are
> there any risks doing so? Is this maybe why it
> worked
> sometimes and not others?
> 
> With the new firewall I can''t even get to the site:
> 
> If I traceroute from work I get this and all works
> perfectly:
> 
> -cut-
> U:>tracert calgarypubliclibrary.com
> 
> Tracing route to calgarypubliclibrary.com
> [207.34.115.132]
> over a maximum of 30 hops:
> 
>   1   <10 ms   <10 ms   <10 ms 
> locutus.enel.ucalgary.ca [136.159.102.1]
>   2   <10 ms   <10 ms   <10 ms  192.168.102.1
>   3   <10 ms   <10 ms   <10 ms  192.168.47.1
>   4   <10 ms   <10 ms   <10 ms  192.168.3.25
>   5   <10 ms   <10 ms   <10 ms 
> clgrabezdr01.bb.telus.com [205.233.111.65]
>   6   <10 ms   <10 ms    16 ms  192.168.10.43
>   7    63 ms   <10 ms    16 ms 
> www.calgarypubliclibrary.com [207.34.115.132]
> 
> Trace complete.
> -cut-
> 
> From Home with the old ffirewallmy trace mostly
> works
> and the site loads and the catalog works off and on
> two way (as noted above):
> 
> -cut-
> u:>tracert calgarypubliclibrary.com
> 
> Tracing route to calgarypubliclibrary.com
> [207.34.115.132]
> over a maximum of 30 hops:
> 
>   1    21 ms     1 ms     1 ms  192.168.0.254
>   2    14 ms    13 ms     *    
> clgrab46ar02.ab.tac.net [209.115.152.19]
>   3    14 ms    13 ms    14 ms 
> clgrab01dr00.bb.telus.com [209.115.152.72]
>   4    14 ms    13 ms    14 ms 
> clgrabezdr01.bb.telus.com [208.38.16.129]
>   5     *        *        *     Request timed out.
>   6    24 ms    66 ms    38 ms 
> www.calgarypubliclibrary.com [207.34.115.132]
> 
> Trace complete.
> -cut-
> 
> With the new fifirewally trace looks like this:
> 
> -cut-
> u:>tracert calgarypubliclibrary.com
> 
> Tracing route to calgarypubliclibrary.com
> [207.34.115.132]
> over a maximum of 30 hops:
> 
>   1    <1 ms    <1 ms    <1 ms  192.168.0.254
>   2    25 ms     *       12 ms 
> clgrab46ar02.ab.tac.net [209.115.152.19]
>   3    12 ms    13 ms    12 ms 
> clgrabezdr00.bb.telus.com [209.115.223.167]
>   4    13 ms    12 ms    13 ms 
> clgrabezdr01.bb.telus.com [208.38.16.129]
>   5    14 ms    14 ms    14 ms  192.168.10.43
> 6     *        *        *     Request timed out.
> 7     *        *        *     Request timed out.
> 8
> etc, etc, with the timouts...
> 
> -cut-
> 
> With a browser I can not connect to the catalog or
> the
> site. Squid teltell:
> 
> -cut-
> ERROR
> The requested URL could not be retrieved
> 
>
--------------------------------------------------------------------------------
> 
> While trying to retrieve the URL:
> http://calgarypubliclibrary.com/ 
> 
> The following error was encountered: 
> 
> Zero Sized Reply 
> Squid did not receive any data for this request. 
> 
>
--------------------------------------------------------------------------------
> -cut-
> 
> If I had norfc1918 turned on for eth0 on my trace
> stopped at hop 4. 
> 
> By accident I noticed if I telnet to
> calgarypubliclibrary.com I get a banner:
> 
> -cut-
> Raptor Firewall Secure Gateway.
> 
> Hostname:
> -cut-
> 
> One thing I just noticed is the old firewall gets an
> IP of 142.173.131.108 and the new box gets an IP of
> 205.206.96.221.
> 
> Well hop somsomeonen help me fix this.
> 
> 
> 
> 
> 
> ====> Randy Millis 
> Calgary, Alberta 
> Canada 
> E-mail: randy.millis@telusplanet.net
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> 

====Randy Millis 
Calgary, Alberta 
Canada 
E-mail: randy.millis@telusplanet.net

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

On Sun, 21 Jul 2002, Randy Millis wrote:
> Resolved most of the issue.
> 
> ISP said there are weird issues with the "new"
> 205.206.xx.xx IP block.
> 
> Would still like to know about how to open the ports
> 
All outbound ports are open by default -- if any are closed, you closed 
them...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net