In the last 15 minutes I have had a major firewall running Shorewall display some problems. This machine has been working fine for the better part of a year, no changes made in the last week. This machine has three zones. There is a DNAT running from the net zone and the loc zone to a webserver in the dmz port 80 only. The DNAT from the loc zone seems to not be working correctly. If I make a web request from the loc zone with a sniffer in both loc and dmz, I can see the request in both zones but the reply in only the dmz. The packets returning to loc seem to be getting dropped inbetween zones. There is nothing in /var/log/messages. DNAT''s from the net zone are passing traffic. I tried a shorewall restart, no change to the loc problem. Any ideas ? I hate to reboot this thing in the middle of the day, don''t think it will help, don''t know what else to do. I am running shorewall 1.3 Thanks for your help Steve
On Tue, 2003-10-21 at 09:51, Steve Postma wrote:> The DNAT from the loc zone seems to not be working > correctly. If I make a web request from the loc zone with a sniffer in both > loc and dmz, I can see the request in both zones but the reply in only the > dmz. The packets returning to loc seem to be getting dropped inbetween > zones. There is nothing in /var/log/messages. DNAT''s from the net zone are > passing traffic. I tried a shorewall restart, no change to the loc problem. > Any ideas ?Are the replies in the DMZ being sent to the proper host (is the destination MAC address that of the firewall''s DMZ interface)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks again Tom! There was an arcane routing rule on the webserver for that subnet only and that route had failed. Thanks! Steve -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, October 21, 2003 1:12 PM To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] problems On Tue, 2003-10-21 at 09:51, Steve Postma wrote:> The DNAT from the loc zone seems to not be working > correctly. If I make a web request from the loc zone with a sniffer inboth> loc and dmz, I can see the request in both zones but the reply in only the > dmz. The packets returning to loc seem to be getting dropped inbetween > zones. There is nothing in /var/log/messages. DNAT''s from the net zoneare> passing traffic. I tried a shorewall restart, no change to the locproblem.> Any ideas ?Are the replies in the DMZ being sent to the proper host (is the destination MAC address that of the firewall''s DMZ interface)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm