I''ve a three-interface Shorewall configuration (DMZ, Local Network and a DSL connection to Internet). Everything works fine excepts that the connections from the local network to the DMZ servers tend to have a short time-to-live as after some time inactivity between the client and the server the conection is lost, namely via browser. Does anyone knows about any configuration parameter to overcome this problem? Best Regards, Paulo Almeida -- Escola Superior de Enfermagem S. João Deptª Informática Rua Dr. António Bernardino de Almeida 4200-072 Porto Tel: +351225073500 - Fax: +351225096337 web: www.sj.esenf.pt
Paulo Almeida wrote:> I''ve a three-interface Shorewall configuration (DMZ, Local Network and a > DSL connection to Internet). > Everything works fine excepts that the connections from the local network > to the DMZ servers tend to have a short time-to-live as after some time > inactivity between the client and the server the conection is lost, namely > via browser. > > Does anyone knows about any configuration parameter to overcome this problem? >Can''t think of any -- are you seeing any log messages when you try to use one of these "dead" connections? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Paulo Almeida wrote:> > > I put shorewall log in debug mode but i can''t see anything. I''m not sure > if it''s a shorewall problem configuration.It is not a Shorewall configuration problem -- there are no Shorewall settings that can cause these symptoms. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Paulo Almeida wrote:> > I put shorewall log in debug mode but i can''t see anything.Also, be sure that you understand how logging works (http://shorewall.net/shorewall_logging.html). You don''t mention what you mean by "put shorewall log in debug mode" but the effect of changing the log levels in /etc/shorewall/policy to "debug" is to REDUCE the likelyhood that a message will be logged rather than to increase the level of logging. You can verify that logging is working by trying a denied connection (the default setup rejects telnet connections from loc->fw and that''s easy to test). After the connection has been rejected, you should see the connection attempt when you "shorewall show log". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net