I''m using Shorewall on SuSE 8.1 and I have an odd problem with connecting from my LAN computers through the firewall. The LAN can connect to remote machines via NNTP, POP3 and SMTP but not via HTTP (URLs won''t resolve). The firewall machine can connect to the net via http with no problems. The setup is the default 2-zone config with the policy loc net ACCEPT loc fw ACCEPT fw net ACCEPT fw loc ACCEPT net all DROP all all REJECT Everything else is, I think, identical to the shipped version. Any ideas would be gratefully received! John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won''t break the bank Knossos: escape the ever-changing labyrinth before the Minotaur catches you!
John Pettigrew wrote:> I''m using Shorewall on SuSE 8.1 and I have an odd problem with connecting > from my LAN computers through the firewall. > > The LAN can connect to remote machines via NNTP, POP3 and SMTP but not via > HTTP (URLs won''t resolve). The firewall machine can connect to the net via > http with no problems. >If your NNTP, POP3 AND SMTP connections are using URLs then I''m assuming that DNS lookups are working from the local network. In that case, you might try setting CLAMPMSS=Yes in /etc/shorewall/shorewall.conf since this may be an MTU discovery problem that is only showing up with HTTPs large messages. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
In a previous message, Tom Eastep wrote:> John Pettigrew wrote: > > The LAN can connect to remote machines via NNTP, POP3 and SMTP but not > > via HTTP (URLs won''t resolve). The firewall machine can connect to the > > net via http with no problems. > > If your NNTP, POP3 AND SMTP connections are using URLs then I''m assuming > that DNS lookups are working from the local network.Correct.> In that case, you might try setting CLAMPMSS=Yes in > /etc/shorewall/shorewall.conf since this may be an MTU discovery problem > that is only showing up with HTTPs large messages.Tried setting this, then clearing and restarting shorewall, but no success :-( Looking at the comments in the conf file, it''s probably worth mentioning that my connection to the internet is an ethernet-connected cable modem. John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won''t break the bank Fields of Valour: 2 Norse clans battle on one of 3 different boards
John Pettigrew wrote:> In a previous message, Tom Eastep wrote: > > >>John Pettigrew wrote: >> >>>The LAN can connect to remote machines via NNTP, POP3 and SMTP but not >>>via HTTP (URLs won''t resolve). The firewall machine can connect to the >>>net via http with no problems. >> >>If your NNTP, POP3 AND SMTP connections are using URLs then I''m assuming >>that DNS lookups are working from the local network. > > > Correct. > > >>In that case, you might try setting CLAMPMSS=Yes in >>/etc/shorewall/shorewall.conf since this may be an MTU discovery problem >>that is only showing up with HTTPs large messages. > > > Tried setting this, then clearing and restarting shorewall, but no success > :-( > > Looking at the comments in the conf file, it''s probably worth mentioning > that my connection to the internet is an ethernet-connected cable modem.So I''ll assume that your ''net'' interface in /etc/shorewall/interfaces is an ethernet device. When you say URLs won''t resolve, does that mean that you can browse by IP address (e.g., http://206.124.146.177)? If not, are the browsers in the local lan configured to use a Proxy? If not, after you have attempted to connect please send me the output from "shorewall status". Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
In a previous message, Tom Eastep wrote:> So I''ll assume that your ''net'' interface in /etc/shorewall/interfaces is > an ethernet device.Correct> When you say URLs won''t resolve, does that mean that you can browse by IP > address (e.g., http://206.124.146.177)?Yes - following that link worked, whereas http://www.shorewall.net/ failed, sticking at "Resolving host".> If not, are the browsers in the local lan configured to use a Proxy?No.> If not, after you have attempted to connect please send me the output > from "shorewall status".Emailed separately. Thanks, John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won''t break the bank Knossos: escape the ever-changing labyrinth before the Minotaur catches you!
John Pettigrew wrote:> In a previous message, Tom Eastep wrote: > > >>So I''ll assume that your ''net'' interface in /etc/shorewall/interfaces is >>an ethernet device. > > > Correct > > >>When you say URLs won''t resolve, does that mean that you can browse by IP >>address (e.g., http://206.124.146.177)? > > > Yes - following that link worked, whereas http://www.shorewall.net/ failed, > sticking at "Resolving host". > > >>If not, are the browsers in the local lan configured to use a Proxy? > > > No. > > >>If not, after you have attempted to connect please send me the output >>from "shorewall status". > > > Emailed separately.That looked ok -- how are the resolvers in your local LAN configured? Can you ping the name servers from the local lan? Can you "nslookup www.shorewall.net" from an Windows NT, 2K or XP box or "dig www.shorewall.net" from a Linux/Unix box on the LAN? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
In a previous message, Tom Eastep wrote:> > > please send me the output from "shorewall status". > > > > Emailed separately. > > That looked ok -- how are the resolvers in your local LAN configured? Can > you ping the name servers from the local lan? Can you "nslookup > www.shorewall.net" from an Windows NT, 2K or XP box or "dig > www.shorewall.net" from a Linux/Unix box on the LAN?I can ping the name servers OK from the lan. The local machines aren''t running Windows or *nix (they''re RISC OS). What do nslookup/dig do? I can establish the equivalent. Thanks, John -- John Pettigrew Headstrong Games john@headstrong-games.co.uk Fun : Strategy : Price http://www.headstrong-games.co.uk/ Board games that won''t break the bank Valley of the Kings: ransack an ancient Egyptian tomb but beware of mummies!