Trifon Anguelov
2003-Jan-14 15:10 UTC
[Shorewall-users] Two web servers on DMZ zone with private addresses. How to?
Two quick questions to the group: Anyone seen this before: Jan 14 02:55:45 gw1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=66.58.99.83 DST=170.224.8.51 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=38676 DF PROTO=TCP SPT=1735 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 I mean my web server is trying to replay to some external host 170.224.8.51 (p.moreover.com) for some reason. What could be? It happends pretty often. The second mind-bothering thing is: If I have two or more web servers(separate machines) on the same DMZ zone, how they all can listen on port 80. I mean, I read the Tom''s example to listen on port diff than 80 (http://www.abz.com:5000) but who is going to type the extra :5000 after the URL? What is the practical implementation in this case? The firewall has to know to which host to send the port 80 traffic. If these addresses are public then the DNS will resolve them, of course. But what if I use private addresses? Can still the port forwarding work? Hope that''s not to much to ask from a Linux box :-))) Thank you in advance and my best regards. Trifon Visit my Web Site: http://www.dbaclick.com Tons of Oracle DBA''s scripts, articles, manuals and documents My profile: http://profiles.yahoo.com/clio_usa --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Tom Eastep
2003-Jan-14 15:20 UTC
[Shorewall-users] Two web servers on DMZ zone with private addresses. How to?
--On Tuesday, January 14, 2003 03:10:11 PM -0800 Trifon Anguelov <clio_usa@yahoo.com> wrote:> > Two quick questions to the group: > > Anyone seen this before: > > Jan 14 02:55:45 gw1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 > SRC=66.58.99.83 DST=170.224.8.51 LEN=52 TOS=0x00 PREC=0x00 TTL=63 > ID=38676 DF PROTO=TCP SPT=1735 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > I mean my web server is trying to replay to some external host > 170.224.8.51 (p.moreover.com) for some reason. What could be? It happends > pretty often. > >Trifon -- PLEASE read the instructions at http://shorewall.sf.net/support.htm regarding the information we need when you post log messages.> > The second mind-bothering thing is: If I have two or more web > servers(separate machines) on the same DMZ zone, how they all can listen > on port 80. I mean, I read the Tom''s example to listen on port diff than > 80 (http://www.abz.com:5000) but who is going to type the extra :5000 > after the URL? What is the practical implementation in this case? > > The firewall has to know to which host to send the port 80 traffic. If > these addresses are public then the DNS will resolve them, of course. But > what if I use private addresses? Can still the port forwarding work? > > Hope that''s not to much to ask from a Linux box :-))) >You may be able to do it with some sort of HTTP proxy running on the firewall -- you certainly can''t do it with a packet-filter/router like Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net