Hi, I am new to Shorewall and I was wondering if it is possible to make Shorewall send the users ip to the apache web server and not the internal ip of the firewall. Thanks for any help on this Julian
On Sun, 3 Aug 2003 19:05:02 -0400, Julian Palmer <cannei@rogers.com> wrote:> Hi, > > I am new to Shorewall and I was wondering if it is possible to make > Shorewall send the users ip to the apache web server and not the internal > ip > of the firewall. >>From your post we suspect that you are using Shorewall and Apache and youdon''t like what Apache is logging. That''s all we know. This is a technical help list, not a puzzle list; please give us some details... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 03 Aug 2003 16:39:07 -0700, Tom Eastep <teastep@shorewall.net> wrote:> From your post we suspect that you are using Shorewall and Apache and you > don''t like what Apache is logging. That''s all we know. > > This is a technical help list, not a puzzle list; please give us some > details...Ok -- I reread your post and I''m guessing that you use the horrible hack from FAQ #2 even though I recommend a DNS solution to that problem. Sorry -- the problem you are reporting is the price you pay for the choice you made. It is the fact that the Apache server thinks that all of the internal requests are coming from the firewall that makes this hack work. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, Hack...What hack? I have not applied any hack The problem I am having is that in the Apache LogFile for my websites I only see the Firewall Internal IP Address and not the users IP (visiting web users IP). I was wondering if it is possible to send this information (the users IP) through Shorewall because now all I see for ever visit/hit if the Firewall Internal IP Address Julian -----Original Message----- From: shorewall-users-bounces+jpalmer=ockhamsrazor.com@lists.shorewall.net [mailto:shorewall-users-bounces+jpalmer=ockhamsrazor.com@lists.shorewall.net ] On Behalf Of Tom Eastep Sent: Sunday, August 03, 2003 7:53 PM To: Tom Eastep; Julian Palmer; shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] Log Users IP Apache On Sun, 03 Aug 2003 16:39:07 -0700, Tom Eastep <teastep@shorewall.net> wrote:> From your post we suspect that you are using Shorewall and Apache and > you > don''t like what Apache is logging. That''s all we know. > > This is a technical help list, not a puzzle list; please give us some > details...Ok -- I reread your post and I''m guessing that you use the horrible hack from FAQ #2 even though I recommend a DNS solution to that problem. Sorry -- the problem you are reporting is the price you pay for the choice you made. It is the fact that the Apache server thinks that all of the internal requests are coming from the firewall that makes this hack work. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Sun, 2003-08-03 at 17:39, Julian Palmer wrote:> Hi, > > Hack...What hack? I have not applied any hack > > The problem I am having is that in the Apache LogFile for my websites I only > see the Firewall Internal IP Address and not the users IP (visiting web > users IP). I was wondering if it is possible to send this information (the > users IP) through Shorewall because now all I see for ever visit/hit if the > Firewall Internal IP Address >I hope someone else can help you... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks for your help Julian -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Sunday, August 03, 2003 8:43 PM To: Julian Palmer Cc: shorewall-users@lists.shorewall.net Subject: RE: [Shorewall-users] Log Users IP Apache On Sun, 2003-08-03 at 17:39, Julian Palmer wrote:> Hi, > > Hack...What hack? I have not applied any hack > > The problem I am having is that in the Apache LogFile for my websites > I only see the Firewall Internal IP Address and not the users IP > (visiting web users IP). I was wondering if it is possible to send > this information (the users IP) through Shorewall because now all I > see for ever visit/hit if the Firewall Internal IP Address >I hope someone else can help you... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On 03 Aug 2003 17:42:35 -0700, Tom Eastep <teastep@shorewall.net> wrote:> On Sun, 2003-08-03 at 17:39, Julian Palmer wrote: >> Hi, >> >> Hack...What hack? I have not applied any hack >> >> The problem I am having is that in the Apache LogFile for my websites I >> only >> see the Firewall Internal IP Address and not the users IP (visiting web >> users IP). I was wondering if it is possible to send this information >> (the >> users IP) through Shorewall because now all I see for ever visit/hit if >> the >> Firewall Internal IP Address >> > > I hope someone else can help you... >My point is that: a) You haven''t told us where this Apache Server is running. b) You haven''t told us where the visitors are. c) You haven''t told us how you have configured Shorewall. d) YOu haven''t told us which version of Shorewall you are running. e) YOu haven''t told us which sample configuration and QuickStart Guide you are using. f) Basically, you have told us nothing. There are no sane Shorewall configurations where Apache will log as you describe so I was trying to think of crazy configurations where it might; that''s what lead me to FAQ #2. If you don''t give us some details, we can''t help you. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 8/3/2003 17:53 -0700, Tom Eastep wrote:>There are no sane Shorewall configurations where Apache will log as you >describe so I was trying to think of crazy configurations where it might; >that''s what lead me to FAQ #2. If you don''t give us some details, we can''t >help you.Maybe when the Apache server is inside the firewall (loc), the visitors are coming from outside (net), and Shorewall is forwarding the requests? At this point masquerading or natting occurs (don''t know which) but Apache would see all requests coming from the firewall, wouldn''t it? -- Rodolfo J. Paiz rpaiz@simpaticus.com
Rodolfo J. Paiz wrote:> At 8/3/2003 17:53 -0700, Tom Eastep wrote: >> There are no sane Shorewall configurations where Apache will log as >> you describe so I was trying to think of crazy configurations where >> it might; that''s what lead me to FAQ #2. If you don''t give us some >> details, we can''t help you. > > Maybe when the Apache server is inside the firewall (loc), the > visitors are coming from outside (net), and Shorewall is forwarding > the requests? At this point masquerading or natting occurs (don''t > know which) but Apache would see all requests coming from the > firewall, wouldn''t it?No, apache will see (and log) the actual IP address of the system requesting the web page, not the IP address of your firewall. Apache would log the IP address of the firewall if you actually requested a web page from the firewall itself. Steve Cowles
On Mon, 2003-08-04 at 04:19, Cowles, Steve wrote:> Rodolfo J. Paiz wrote: > > At 8/3/2003 17:53 -0700, Tom Eastep wrote: > >> There are no sane Shorewall configurations where Apache will log as > >> you describe so I was trying to think of crazy configurations where > >> it might; that''s what lead me to FAQ #2. If you don''t give us some > >> details, we can''t help you. > > > > Maybe when the Apache server is inside the firewall (loc), the > > visitors are coming from outside (net), and Shorewall is forwarding > > the requests? At this point masquerading or natting occurs (don''t > > know which) but Apache would see all requests coming from the > > firewall, wouldn''t it? > > No, apache will see (and log) the actual IP address of the system requesting > the web page, not the IP address of your firewall. Apache would log the IP > address of the firewall if you actually requested a web page from the > firewall itself.To get the behavior that the OP is reporting, one of the following could be happening: a) Connections to the Web server are undergoing SNAT (so that the source address is being rewritten to the local interface''s address). Possible causes are: 1) An extra entry in /etc/shorewall/masq that has the internal interface in column 1 and the external interface in column 2. 2) SNAT specified on the DNAT rule that is redirecting port 80 to the server. b) Incoming HTTP connections are being proxied on the firewall. But this is all speculation. We can guess that the HTTP server is running in the local zone because of the involvement of the local interface''s IP address but the OP hasn''t given us that information. Similarly, we can guess that masquerading is involved given that the local interface has an RFC1918 address. Maybe we''ll get some hard information today... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi all, Thanks for the replies but I found the problem, I was having trouble because of the following rules configuration DNAT net loc:192.168.5.195 tcp 80 - 209.47.139.209 DNAT loc loc:192.168.5.195 tcp 80 - 209.47.139.209:192.168.5.1 Where 192.168.5.1 was the IP showing up is the Apache logs and not the visiting web users IP, I''ve since removed the second rule and everything works fine. I was not the one that setup Shorewall initially, my apologies for being such a "noob" at this Julian> -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On > Behalf Of Tom Eastep > Sent: Monday, August 04, 2003 11:15 AM > To: Shorewall Users > Subject: RE: [Shorewall-users] Log Users IP Apache > > > On Mon, 2003-08-04 at 04:19, Cowles, Steve wrote: > > Rodolfo J. Paiz wrote: > > > At 8/3/2003 17:53 -0700, Tom Eastep wrote: > > >> There are no sane Shorewall configurations where Apache > will log as > > >> you describe so I was trying to think of crazy > configurations where > > >> it might; that''s what lead me to FAQ #2. If you don''t > give us some > > >> details, we can''t help you. > > > > > > Maybe when the Apache server is inside the firewall (loc), the > > > visitors are coming from outside (net), and Shorewall is > forwarding > > > the requests? At this point masquerading or natting occurs (don''t > > > know which) but Apache would see all requests coming from the > > > firewall, wouldn''t it? > > > > No, apache will see (and log) the actual IP address of the system > > requesting the web page, not the IP address of your > firewall. Apache > > would log the IP address of the firewall if you actually > requested a > > web page from the firewall itself. > > To get the behavior that the OP is reporting, one of the > following could be happening: > > a) Connections to the Web server are undergoing SNAT (so that > the source address is being rewritten to the local > interface''s address). Possible causes are: > > 1) An extra entry in /etc/shorewall/masq that has the > internal interface in column 1 and the external interface > in column 2. > > 2) SNAT specified on the DNAT rule that is redirecting port > 80 to the server. > > b) Incoming HTTP connections are being proxied on the firewall. > > But this is all speculation. We can guess that the HTTP > server is running in the local zone because of the > involvement of the local interface''s IP address but the OP > hasn''t given us that information. Similarly, we can guess > that masquerading is involved given that the local interface > has an RFC1918 address. Maybe we''ll get some hard information today... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/sh> orewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm >
On Mon, 2003-08-04 at 10:26, Julian Palmer wrote:> DNAT loc loc:192.168.5.195 tcp 80 - > 209.47.139.209:192.168.5.1Yep-- that is the problem.> I was not the one that setup Shorewall initially, my apologies for being > such a "noob" at thisGlad that the problem is resolved. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net