Shorewall users - Oct 2002 - Server publishing with DNAT (part 2)?

I post this before, but I''ll still have a problem with
server publishing. My network configuration:
> -----------------------------------
> I have a problem with publishing a web server with shorewall.
> I have:
> 
> eth0, IP:192.168.100.1, NM:255.255.255.0
> eth1, IP:207.46.230.1, NM:255.255.255.0
> 
> web server IP: 192.168.100.2
> 
> I want to make web server visible at IP 207.46.230.1.
> 
> /etc/shorewall/rules:
> DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.1
> 
> /etc/shorewall/masq
> eth0 0.0.0.0/0
> 
> e0 is a zone associated with eth0, e1 is a zone associated with eth1
> 
> I can see a web server published at 207.46.230.1 form all PC-s
> on 207.46.230.x subnet, but I can''t see it from the rest of teh
internet.
> 
> What might be a problem?
>Your ISP is blocking incoming HTTP connections?
>
>-Tom
>-- 
>Tom Eastep    \ Shorewall - iptables made easy
>AIM: tmeastep  \ http://www.shorewall.net
>ICQ: #60745924  \ teastep@shorewall.net
No, it seams I messed somthing with routes.

I do this and that in meantime, and now I can''t see a
published web at all. :| 

- I can ping the machine from anywhere
- In log file I now geting FORWARD:REJECT entryes instead of DNAT: I was
geting before.

Btw. is it necessary to enable masquerading from eth1 to eth0 when I''m
doing DNAT? Just in case, I enabled masquerading form anywhere to everywhere:

/etc/shorewall/masq:
eth0 0.0.0.0/0
eth1 0.0.0.0/0

--
Kreshimir Shantek, dipl.ing.
Kresimir.Santek@InfoDom.hr (work)
Kresimir.Santek@zg.tel.hr (home)
www.mesopust.com/kshantek
icq:
12895929

-------------------- H T h i n e t - - W e b M a i l --------------------
Ova poruka poslana je upotrebom HThinet WebMail usluge.
https://webmail.hinet.hr

Kreshimir Shantek wrote:
> I post this before, but I''ll still have a problem with
> server publishing. My network configuration:
> 
> 
>>-----------------------------------
>>I have a problem with publishing a web server with shorewall.
>>I have:
>>
>>eth0, IP:192.168.100.1, NM:255.255.255.0
>>eth1, IP:207.46.230.1, NM:255.255.255.0
>>
>>web server IP: 192.168.100.2
>>
>>I want to make web server visible at IP 207.46.230.1.
>>
>>/etc/shorewall/rules:
>>DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.1
>>
>>/etc/shorewall/masq
>>eth0 0.0.0.0/0
>>
>>e0 is a zone associated with eth0, e1 is a zone associated with eth1
>>
>>I can see a web server published at 207.46.230.1 form all PC-s
>>on 207.46.230.x subnet, but I can''t see it from the rest of teh
internet.
>>
>>What might be a problem?
> 
> 
>>Your ISP is blocking incoming HTTP connections?
>>
>>-Tom
>>-- 
>>Tom Eastep    \ Shorewall - iptables made easy
>>AIM: tmeastep  \ http://www.shorewall.net
>>ICQ: #60745924  \ teastep@shorewall.net
> 
> 
> No, it seams I messed somthing with routes.
> 
> I do this and that in meantime, and now I can''t see a
> published web at all. :| 
> 
> - I can ping the machine from anywhere
> - In log file I now geting FORWARD:REJECT entryes instead of DNAT: I was
> geting before.
Please see http://www.shorewall.net/FAQ.htm#faq17. Logging out of the 
FORWARD or INPUT chain almost always means that your zone definitions are 
incorrect (99% of the time, it is a problem with the hosts file and in 
most of those cases, an EMPTY hosts file is the correct hosts file).
> 
> Btw. is it necessary to enable masquerading from eth1 to eth0 when
I''m
> doing DNAT? Just in case, I enabled masquerading form anywhere to
everywhere:
> 
> /etc/shorewall/masq:
> eth0 0.0.0.0/0
> eth1 0.0.0.0/0
> 
NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......

Put that back the way that it should be. It sounds like you keep fiddling 
with your configuration without a good idea of what you are doing and have 
it pretty well messed up.

Port forwarding is really very simple and when it doesn''t work, there
will
be a simple answer. See my response this morning to the post entitled "Can 
Shorewall be configured to let Citrix g o (sic) thru" for some tips on 
diagnosing DNAT problems.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> Kreshimir Shantek wrote:
> > I post this before, but I''ll still have a problem with
> > server publishing. My network configuration:
> > 
> > 
> >>-----------------------------------
> >>I have a problem with publishing a web server with shorewall.
> >>I have:
> >>
> >>eth0, IP:192.168.100.1, NM:255.255.255.0
> >>eth1, IP:207.46.230.1, NM:255.255.255.0
> >>
> >>web server IP: 192.168.100.2
> >>
> >>I want to make web server visible at IP 207.46.230.1.
> >>
> >>/etc/shorewall/rules:
> >>DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.1
> >>
> >>/etc/shorewall/masq
> >>eth0 0.0.0.0/0
> >>
> >>e0 is a zone associated with eth0, e1 is a zone associated with
eth1
> >>
> >>I can see a web server published at 207.46.230.1 form all PC-s
> >>on 207.46.230.x subnet, but I can''t see it from the rest
of teh internet.
> >>
> 
> Please see http://www.shorewall.net/FAQ.htm#faq17. Logging out of the 
> FORWARD or INPUT chain almost always means that your zone definitions are 
> incorrect (99% of the time, it is a problem with the hosts file and in 
> most of those cases, an EMPTY hosts file is the correct hosts file).
yes, my hosts file is empty...
> > Btw. is it necessary to enable masquerading from eth1 to eth0 when
I''m
> > doing DNAT? Just in case, I enabled masquerading form anywhere to 
everywhere:
> > 
> > /etc/shorewall/masq:
> > eth0 0.0.0.0/0
> > eth1 0.0.0.0/0
> > 
> 
> NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......
> 
> Put that back the way that it should be. It sounds like you keep fiddling 
> with your configuration without a good idea of what you are doing and have 
> it pretty well messed up.
yeap, I try with guessing when things not working and I don''t know
why....

ok, I turned off masqerading except form my DMZ to outside world:

eth0 eth1 $ETH1_IP
eth0 ppp0

Now I thnik it''s time to say more about my configuration (I
didn''t before
because I wanted to keep thing simple): I have a 4 network interfaces, first
conncted to DMZ, second to Internet provider #1, thirth to internet provider #2 
(ppp with dynamic IP) and fourth to our partner company. I configured routing 
with load balacing between internet providers (I can send more about my 
configuration, I just don''t want to make a mail very long).

Now the DNAT works occasionally, and after a while (few hours) it stop
working. After reboot it sometimes work, sometimes don''t.

I have a script where I define IP aliases and routing rules
which I run from /etc/shorewall/start. Somehow I would be happier if
I could run this script *before* shorewall starts. The questions are:

Boot order (networking->my script->shorewall): Does it really matter? 
If it does (I suppose so), which startup script starts shorewall during boot? 
Maybe I should include a line for my script before shorewall? 
I''m doing DNAT on IP alias I define in my script. What if shorewall
starts before the script?
> Port forwarding is really very simple and when it doesn''t work,
there will
> be a simple answer. See my response this morning to the post entitled
"Can
> Shorewall be configured to let Citrix g o (sic) thru" for some tips on
> diagnosing DNAT problems.
ok, I''ll try it ... the thing works at the moment, I''ll try it
when it
stops working. At least I''m now sure that DNAT has nothing to do with 
masquerading. 

Thanks!

--
Kreshimir Shantek, dipl.ing.
Kresimir.Santek@InfoDom.hr (work)
Kresimir.Santek@zg.tel.hr (home)
www.mesopust.com/kshantek
icq:
12895929

-------------------- H T h i n e t - - W e b M a i l --------------------
Ova poruka poslana je upotrebom HThinet WebMail usluge.
https://webmail.hinet.hr

Kreshimir Shantek wrote:
> 
> Now the DNAT works occasionally, and after a while (few hours) it stop
> working. After reboot it sometimes work, sometimes don''t.
> 
Given those symptoms, the problem is NOT with your Shorewall 
configuration. You don''t have two or more interfaces connected to the
same
hub/switch do you?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> > Now the DNAT works occasionally, and after a while (few hours) it stop
> > working. After reboot it sometimes work, sometimes don''t.
> Given those symptoms, the problem is NOT with your Shorewall 
> configuration. You don''t have two or more interfaces connected to
the same
> hub/switch do you?
yeap, probably is not the shorewall... 

..but the the guestion also was the boot order, is it
relevant or not and which script actually starts the shorewall?

What if I "ifconfig eth0 down". 
Will the shorewall continue to work normally on the other interfaces?
What if I "ifconfig eth0 up" after a while?
Will the shorewall work normally as before I did "ifconfig eth0 down"?
What if I flush the routing table and restore it back after a while?

--
Kreshimir Shantek, dipl.ing.
Kresimir.Santek@InfoDom.hr (work)
Kresimir.Santek@zg.tel.hr (home)
www.mesopust.com/kshantek
icq:
12895929

-------------------- H T h i n e t - - W e b M a i l --------------------
Ova poruka poslana je upotrebom HThinet WebMail usluge.
https://webmail.hinet.hr

Kreshimir Shantek wrote:
>>>Now the DNAT works occasionally, and after a while (few hours) it
stop
>>>working. After reboot it sometimes work, sometimes don''t.
>>
>>Given those symptoms, the problem is NOT with your Shorewall 
>>configuration. You don''t have two or more interfaces connected
to the same
>>hub/switch do you?
> 
> 
> yeap, probably is not the shorewall... 
> 
> ..but the the guestion also was the boot order, is it
> relevant or not and which script actually starts the shorewall?
> 
> What if I "ifconfig eth0 down". 
Any aliases (addresses) that Shorewall has added to eth0 because of 
ADD_IP_ALIASES or ADD_SNAT_ALIASES will be lost. Any routes added through 
eth0 because of Proxy ARP will be lost. Any static ARP cache entries added 
to eth0 for Proxy ARP will be lost.
> Will the shorewall continue to work normally on the other interfaces?
It will continue to route normally to/from the other interfaces, yes.
> What if I "ifconfig eth0 up" after a while?
See above -- traffic from/to eth0 will continue but if you lost anything 
when you took the interface down, your gateway probably won''t work
properly.
> Will the shorewall work normally as before I did "ifconfig eth0
down"?
Again, not if aliases, routes or ARP cache entries were lost. Also, if the 
IP address changed and eth0 is your external interface then DNAT will stop 
working if you have DETECT_DNAT_IPADDRS=Yes in /etc/shorewall/shorewall.conf.
> What if I flush the routing table and restore it back after a while?
Any routes that Shorewall added for Proxy ARP won''t be restored.

In addition, certain features in Shorewall require that an interface be up 
prior to starting Shorewall.

a) ''detect'' in the BROADCAST(S) column of
/etc/shorewall/interfaces.
b) DNAT rules if DETECT_DNAT_IPADDRS=Yes in /etc/shorewall/shorewall.conf
c) Use of `find_interface_address <interface>` in extension scripts

There may be others but those are the ones that come to mind.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> > What if I "ifconfig eth0 down". 
> Any aliases (addresses) that Shorewall has added to eth0 because of 
> ADD_IP_ALIASES or ADD_SNAT_ALIASES will be lost. Any routes added through 
> eth0 because of Proxy ARP will be lost. Any static ARP cache entries added 
> to eth0 for Proxy ARP will be lost.
> In addition, certain features in Shorewall require that an interface be up 
> prior to starting Shorewall.
> a) ''detect'' in the BROADCAST(S) column of
/etc/shorewall/interfaces.
> b) DNAT rules if DETECT_DNAT_IPADDRS=Yes in /etc/shorewall/shorewall.conf
> c) Use of `find_interface_address <interface>` in extension scripts
That''s excatly what I do: I have a script (because of load balancing)
that:
-add IP aliases
-flushes routing tables
-define my own routing tables and routes
-define routing rules

I dont''t use Proxy ARP, ADD_IP_ALIASES, ADD_SNAT_ALIASES & stuff
because I
do it in my script.

I start that script form /etc/shorewall/start. That means it starts after
Shorewall. I would like to start it before, how can I do that?

In meantime I added one more etherent card (eth4) and connected it to
it''s
subnet.

Now I have:

eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x)
eth1, ppp0 -> load balancing, conected to Internet provider #1 and Internet 
provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) 
eth3 -> connected to LAN1 (ip: 192.168.112.101, nw: 192.168.112.x)
eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x) (zone e4)

(eth2 is for PPPoE for ADSL)

/etc/shorewall/rules
DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2
DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1

First rule works fine, second don''t.
Im log file I see DNAT entryes for booth rules (I suppose that means
that''s not
problem in shorewall)
>From linux box I can ping machines on each subnet.
>From each subnet I can ping linux box.
>From some subnet I can ping some subnets, some can''t <- thats
whats bothernig
me, I suppose that''s something with routes... but may it be something
else
perhaps?.


--
Kreshimir Shantek, dipl.ing.
Kresimir.Santek@InfoDom.hr (work)
Kresimir.Santek@zg.tel.hr (home)
www.mesopust.com/kshantek
icq:
12895929

-------------------- H T h i n e t - - W e b M a i l --------------------
Ova poruka poslana je upotrebom HThinet WebMail usluge.
https://webmail.hinet.hr

Kreshimir Shantek wrote:
> 
> I start that script form /etc/shorewall/start. That means it starts after
> Shorewall. I would like to start it before, how can I do that?
/etc/shorewall/init
> 
> In meantime I added one more etherent card (eth4) and connected it to
it''s
> subnet.
> 
> Now I have:
> 
> eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x)
> eth1, ppp0 -> load balancing, conected to Internet provider #1 and
Internet
> provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) 
> eth3 -> connected to LAN1 (ip: 192.168.112.101, nw: 192.168.112.x)
> eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x) (zone
e4)
> 
> (eth2 is for PPPoE for ADSL)
> 
> /etc/shorewall/rules
> DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2
> DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1
> 
> First rule works fine, second don''t.
> Im log file I see DNAT entryes for booth rules (I suppose that means
that''s not
> problem in shorewall)
That''s correct -- both rules are working fine but something else in
your
setup isn''t. Have you checked the routing table on 192.168.101.5?
> From linux box I can ping machines on each subnet.
> From each subnet I can ping linux box.
> From some subnet I can ping some subnets, some can''t <- thats
whats bothernig
> me, I suppose that''s something with routes... but may it be
something else
> perhaps?.
> 
It could be routing since you are flushing the RT and adding all of your 
own routes. Could also be your firewall rules though.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> Kreshimir Shantek wrote:
> > I start that script form /etc/shorewall/start. That means it starts
after
> > Shorewall. I would like to start it before, how can I do that?
> 
> /etc/shorewall/init
Won''t work... I have Shorewall version 1.3.5, initially, init file
wasn''t
there (in /etc/shorewall), I coppied start file into init, and delete
line that calles my script from start.
> > eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x)
> > eth1, ppp0 -> load balancing, conected to Internet provider #1 and
Internet
> > provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) 
> > eth3 -> connected to LAN1 (ip: 192.168.112.101, nw: 192.168.112.x)
> > eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x)
(zone e4)
> > (eth2 is for PPPoE for ADSL)
> > 
> > /etc/shorewall/rules
> > DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2
> > DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1
> > 
> > First rule works fine, second don''t.
> > Im log file I see DNAT entryes for booth rules (I suppose that means
that''s
not 
> > problem in shorewall)
> 
> That''s correct -- both rules are working fine but something else
in your
> setup isn''t. Have you checked the routing table on 192.168.101.5?
I have a route for 192.168.101.x segment:

192.168.101.0/24 dev eth4 scope link

I think that''s ok.
> It could be routing since you are flushing the RT and adding all of your 
> own routes. Could also be your firewall rules though.
I discovered a malfunctioned network card on one machines on one of the 
segments.
After replacing a card I can ping everything from everywhere, as I expected.
But I''m a little bit suspicious that malfunctioned network card on the
other machine could cause such a mess - it didn''t report any error, I
could saw a light on the hub and on the card, I just couldn''t ping that
machine.

--
Kreshimir Shantek, dipl.ing.
Kresimir.Santek@InfoDom.hr (work)
Kresimir.Santek@zg.tel.hr (home)
www.mesopust.com/kshantek
icq:
12895929

-------------------- H T h i n e t - - W e b M a i l --------------------
Ova poruka poslana je upotrebom HThinet WebMail usluge.
https://webmail.hinet.hr

Kreshimir Shantek wrote:
>>Kreshimir Shantek wrote:
>>
>>>I start that script form /etc/shorewall/start. That means it starts
after
>>>Shorewall. I would like to start it before, how can I do that?
>>
>>/etc/shorewall/init
> 
> 
> Won''t work... I have Shorewall version 1.3.5, initially, init file
wasn''t
> there (in /etc/shorewall), I coppied start file into init, and delete
> line that calles my script from start.
I don''t know what you''re trying to say -- the
''start'' file wasn''t there
either before you created it!!! Same goes for the ''init'' file
- YOU have
to create it.
> 
> 
>>>eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x)
>>>eth1, ppp0 -> load balancing, conected to Internet provider #1
and Internet
>>>provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) 
>>>eth3 -> connected to LAN1 (ip: 192.168.112.101, nw:
192.168.112.x)
>>>eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x)
(zone e4)
>>>(eth2 is for PPPoE for ADSL)
>>>
>>>/etc/shorewall/rules
>>>DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2
>>>DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1
>>>
>>>First rule works fine, second don''t.
>>>Im log file I see DNAT entryes for booth rules (I suppose that means
that''s
>>
> not 
> 
>>>problem in shorewall)
>>
>>That''s correct -- both rules are working fine but something
else in your
>>setup isn''t. Have you checked the routing table on
192.168.101.5?
> 
> 
> I have a route for 192.168.101.x segment:
> 
> 192.168.101.0/24 dev eth4 scope link
> 
> I think that''s ok.
Yes -- assuming that the default gateway on 192.168.101.5 is configured to 
be 192.168.101.2.
> 
> 
>>It could be routing since you are flushing the RT and adding all of your
>>own routes. Could also be your firewall rules though.
> 
> 
> I discovered a malfunctioned network card on one machines on one of the 
> segments.
> After replacing a card I can ping everything from everywhere, as I
expected.
> But I''m a little bit suspicious that malfunctioned network card on
the
> other machine could cause such a mess - it didn''t report any
error, I
> could saw a light on the hub and on the card, I just couldn''t ping
that
> machine.
> 
A malfunctioning card can mess of the entire ethernet segment that it is 
connected to.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> > Won''t work... I have Shorewall version 1.3.5, initially, init
file wasn''t
> I don''t know what you''re trying to say -- the
''start'' file wasn''t there
> either before you created it!!! Same goes for the ''init''
file - YOU have
> to create it.
sorry, it seams I thoght that start file was initaly there...
.. btw. why don''t you include and empty start and init files in
instalation
with comment what are they for (like policy, rules and other stuff)?
> > I have a route for 192.168.101.x segment:
> > 
> > 192.168.101.0/24 dev eth4 scope link
> > 
> > I think that''s ok.
> 
> Yes -- assuming that the default gateway on 192.168.101.5 is configured to 
> be 192.168.101.2.
Yes, you were right - the default gateway on 192.168.101.5 WASN''T
192.168.101.2.
After I set it to 192.168.101.2, the thing works!

But, why is that? The eth4 and 192.168.101.5 are on same subnet... why
the gateway on 192.168.101.5 must be 192.168.101.2? Is there any other
way to make thing working?

What if I want to publish server that is not on the same segment with eth4?
(i.e, I have: eth4<->router<->the_server_I_want_to_publish).

--
Kreshimir Shantek, dipl.ing.
Kresimir.Santek@InfoDom.hr (work)
Kresimir.Santek@zg.tel.hr (home)
www.mesopust.com/kshantek
icq:
12895929

-------------------- H T h i n e t - - W e b M a i l --------------------
Ova poruka poslana je upotrebom HThinet WebMail usluge.
https://webmail.hinet.hr

Kreshimir Shantek wrote:
>>>Won''t work... I have Shorewall version 1.3.5, initially,
init file wasn''t
>>
>>I don''t know what you''re trying to say -- the
''start'' file wasn''t there
>>either before you created it!!! Same goes for the
''init'' file - YOU have
>>to create it.
> 
> 
> sorry, it seams I thoght that start file was initaly there...
> .. btw. why don''t you include and empty start and init files in
instalation
> with comment what are they for (like policy, rules and other stuff)?
I''m just lazy I guess.
> 
> 
>>>I have a route for 192.168.101.x segment:
>>>
>>>192.168.101.0/24 dev eth4 scope link
>>>
>>>I think that''s ok.
>>
>>Yes -- assuming that the default gateway on 192.168.101.5 is configured
to
>>be 192.168.101.2.
> 
> 
> Yes, you were right - the default gateway on 192.168.101.5 WASN''T
192.168.101.2.
> After I set it to 192.168.101.2, the thing works!
> 
> But, why is that? The eth4 and 192.168.101.5 are on same subnet... why
> the gateway on 192.168.101.5 must be 192.168.101.2? Is there any other
> way to make thing working?
> 
> What if I want to publish server that is not on the same segment with eth4?
> (i.e, I have: eth4<->router<->the_server_I_want_to_publish).
> 
I suggest that you pick up a copy of a good basic text on addressing and 
routing and read it. My personal favorite is "IP Fundamentals  - What 
Everyone Needs to Know About Addressing & Routing", Thomas A. Maufer, 
Prentice Hall, 1999, IBSN 0-13-975483-0.

If you are going to administer a network, you need a basic understanding 
of how routing and addressing works.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net