Hi, I have a firewall: local net, DMZ (a http server and a mail server) and Internet. OS of this firewall is Debian Woody. I installed kernel 2.4.26 (patchs: grsecurity-2.0-2.4.26 and patch-o-matic-ng-20040302), iptables-1.2.9 and shorewall 2.0.1. I have a big problem: ma dmz cannot communicate to Net and my dmz is not accessible from the Net (I do not have a problem of communication loc2net, loc2dmz and dmz2loc), example: ping from http server to www.google.fr: www:~# ping www.google.fr PING www.google.akadns.net (216.239.59.99): 56 data bytes (nothing) But, gate# tcpdump -i eth2 host 192.168.0.4 tcpdump: listening on eth2 17:49:57.506610 192.168.0.4 > 66.102.9.104: icmp: echo request 17:49:58.506688 192.168.0.4 > 66.102.9.104: icmp: echo request 17:49:59.506707 192.168.0.4 > 66.102.9.104: icmp: echo request (...) gate# tcpdump -i eth0 host 217.167.143.163 tcpdump: listening on eth0 17:49:59.506747 217.167.143.163 > 66.102.9.104: icmp: echo request 17:49:59.580811 66.102.9.104 > 217.167.143.163: icmp: echo reply 17:50:00.506781 217.167.143.163 > 66.102.9.104: icmp: echo request 17:50:00.589703 66.102.9.104 > 217.167.143.163: icmp: echo reply (...) In which part of shorewall do have I to seek the source of the problem? Thank you by advance for (all) vos reponses Best regards, -- Andrei V. FOMITCHEV ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com Téléphone/Fax : 08 92 69 00 21 (0,34 TTC/min) Minitel: 3615 NETCOURRIER (0,16 TTC/min)
a.v.fomitchev@netcourrier.com wrote:> Hi, > I have a firewall: local net, DMZ (a http server and a mail server) and Internet. OS of this firewall is Debian Woody. I installed kernel 2.4.26 (patchs: grsecurity-2.0-2.4.26 and patch-o-matic-ng-20040302), iptables-1.2.9 and shorewall 2.0.1. > I have a big problem: ma dmz cannot communicate to Net and my dmz is not accessible from the Net (I do not have a problem of communication loc2net, loc2dmz and dmz2loc), example: ping from http server to www.google.fr: > www:~# ping www.google.fr > PING www.google.akadns.net (216.239.59.99): 56 data bytes > (nothing) > But, > gate# tcpdump -i eth2 host 192.168.0.4 > tcpdump: listening on eth2 > 17:49:57.506610 192.168.0.4 > 66.102.9.104: icmp: echo request > 17:49:58.506688 192.168.0.4 > 66.102.9.104: icmp: echo request > 17:49:59.506707 192.168.0.4 > 66.102.9.104: icmp: echo request > (...) > gate# tcpdump -i eth0 host 217.167.143.163 > tcpdump: listening on eth0 > 17:49:59.506747 217.167.143.163 > 66.102.9.104: icmp: echo request > 17:49:59.580811 66.102.9.104 > 217.167.143.163: icmp: echo reply > 17:50:00.506781 217.167.143.163 > 66.102.9.104: icmp: echo request > 17:50:00.589703 66.102.9.104 > 217.167.143.163: icmp: echo reply > (...) > > In which part of shorewall do have I to seek the source of the problem? >You say that you have a dmz problem then you show us some tcpdump output. So: a) Which interface goes to the internet? b) Which interface goes to the dmz? c) Which zone is 192.168.0.4 in (the dmz?)? I will *guess* that: 1. eth0 goes to the internet. 2. eth2 goes to the DMZ. 3. 192.168.0.4 is in the DMZ. So what does a tcpdump on eth0 look like when 192.168.0.4 is pinging 66.102.9.104? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> a.v.fomitchev@netcourrier.com wrote: > >> Hi, >> I have a firewall: local net, DMZ (a http server and a mail server) >> and Internet. OS of this firewall is Debian Woody. I installed kernel >> 2.4.26 (patchs: grsecurity-2.0-2.4.26 and patch-o-matic-ng-20040302), >> iptables-1.2.9 and shorewall 2.0.1. >> I have a big problem: ma dmz cannot communicate to Net and my dmz is >> not accessible from the Net (I do not have a problem of communication >> loc2net, loc2dmz and dmz2loc), example: ping from http server to >> www.google.fr: >> www:~# ping www.google.fr >> PING www.google.akadns.net (216.239.59.99): 56 data bytes >> (nothing) >> But, >> gate# tcpdump -i eth2 host 192.168.0.4 >> tcpdump: listening on eth2 >> 17:49:57.506610 192.168.0.4 > 66.102.9.104: icmp: echo request >> 17:49:58.506688 192.168.0.4 > 66.102.9.104: icmp: echo request >> 17:49:59.506707 192.168.0.4 > 66.102.9.104: icmp: echo request >> (...) >> gate# tcpdump -i eth0 host 217.167.143.163 >> tcpdump: listening on eth0 >> 17:49:59.506747 217.167.143.163 > 66.102.9.104: icmp: echo request >> 17:49:59.580811 66.102.9.104 > 217.167.143.163: icmp: echo reply >> 17:50:00.506781 217.167.143.163 > 66.102.9.104: icmp: echo request >> 17:50:00.589703 66.102.9.104 > 217.167.143.163: icmp: echo reply >> (...) >> >> In which part of shorewall do have I to seek the source of the problem? >> > > You say that you have a dmz problem then you show us some tcpdump > output. So: > > a) Which interface goes to the internet? > b) Which interface goes to the dmz? > c) Which zone is 192.168.0.4 in (the dmz?)? > > I will *guess* that: > > 1. eth0 goes to the internet. > 2. eth2 goes to the DMZ. > 3. 192.168.0.4 is in the DMZ. > > So what does a tcpdump on eth0 look like when 192.168.0.4 is pinging > 66.102.9.104?Or is that what you showed us???? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Tom Eastep wrote: > >> a.v.fomitchev@netcourrier.com wrote: >> >>> Hi, >>> I have a firewall: local net, DMZ (a http server and a mail server) >>> and Internet. OS of this firewall is Debian Woody. I installed >>> kernel 2.4.26 (patchs: grsecurity-2.0-2.4.26 and >>> patch-o-matic-ng-20040302), iptables-1.2.9 and shorewall 2.0.1. >>> I have a big problem: ma dmz cannot communicate to Net and my dmz is >>> not accessible from the Net (I do not have a problem of communication >>> loc2net, loc2dmz and dmz2loc), example: ping from http server to >>> www.google.fr: >>> www:~# ping www.google.fr >>> PING www.google.akadns.net (216.239.59.99): 56 data bytes >>> (nothing) >>> But, >>> gate# tcpdump -i eth2 host 192.168.0.4 >>> tcpdump: listening on eth2 >>> 17:49:57.506610 192.168.0.4 > 66.102.9.104: icmp: echo request >>> 17:49:58.506688 192.168.0.4 > 66.102.9.104: icmp: echo request >>> 17:49:59.506707 192.168.0.4 > 66.102.9.104: icmp: echo request >>> (...) >>> gate# tcpdump -i eth0 host 217.167.143.163 >>> tcpdump: listening on eth0 >>> 17:49:59.506747 217.167.143.163 > 66.102.9.104: icmp: echo request >>> 17:49:59.580811 66.102.9.104 > 217.167.143.163: icmp: echo reply >>> 17:50:00.506781 217.167.143.163 > 66.102.9.104: icmp: echo request >>> 17:50:00.589703 66.102.9.104 > 217.167.143.163: icmp: echo reply >>> (...) >>> >>> In which part of shorewall do have I to seek the source of the problem? >>> >> >> You say that you have a dmz problem then you show us some tcpdump >> output. So: >> >> a) Which interface goes to the internet? >> b) Which interface goes to the dmz? >> c) Which zone is 192.168.0.4 in (the dmz?)? >> >> I will *guess* that: >> >> 1. eth0 goes to the internet. >> 2. eth2 goes to the DMZ. >> 3. 192.168.0.4 is in the DMZ. >> >> So what does a tcpdump on eth0 look like when 192.168.0.4 is pinging >> 66.102.9.104? > > > Or is that what you showed us????If it *is* what you showed us, then can 192.168.0.4 ping the firewall? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Tom Eastep wrote: > >> Tom Eastep wrote: >> >>> a.v.fomitchev@netcourrier.com wrote: >>> >>>> Hi, >>>> I have a firewall: local net, DMZ (a http server and a mail server) >>>> and Internet. OS of this firewall is Debian Woody. I installed >>>> kernel 2.4.26 (patchs: grsecurity-2.0-2.4.26 and >>>> patch-o-matic-ng-20040302), iptables-1.2.9 and shorewall 2.0.1. >>>> I have a big problem: ma dmz cannot communicate to Net and my dmz is >>>> not accessible from the Net (I do not have a problem of >>>> communication loc2net, loc2dmz and dmz2loc), example: ping from http >>>> server to www.google.fr: >>>> www:~# ping www.google.fr >>>> PING www.google.akadns.net (216.239.59.99): 56 data bytes >>>> (nothing) >>>> But, >>>> gate# tcpdump -i eth2 host 192.168.0.4 >>>> tcpdump: listening on eth2 >>>> 17:49:57.506610 192.168.0.4 > 66.102.9.104: icmp: echo request >>>> 17:49:58.506688 192.168.0.4 > 66.102.9.104: icmp: echo request >>>> 17:49:59.506707 192.168.0.4 > 66.102.9.104: icmp: echo request >>>> (...) >>>> gate# tcpdump -i eth0 host 217.167.143.163 >>>> tcpdump: listening on eth0 >>>> 17:49:59.506747 217.167.143.163 > 66.102.9.104: icmp: echo request >>>> 17:49:59.580811 66.102.9.104 > 217.167.143.163: icmp: echo reply >>>> 17:50:00.506781 217.167.143.163 > 66.102.9.104: icmp: echo request >>>> 17:50:00.589703 66.102.9.104 > 217.167.143.163: icmp: echo reply >>>> (...) >>>> >>>> In which part of shorewall do have I to seek the source of the problem? >>>> >>> >>> You say that you have a dmz problem then you show us some tcpdump >>> output. So: >>> >>> a) Which interface goes to the internet? >>> b) Which interface goes to the dmz? >>> c) Which zone is 192.168.0.4 in (the dmz?)? >>> >>> I will *guess* that: >>> >>> 1. eth0 goes to the internet. >>> 2. eth2 goes to the DMZ. >>> 3. 192.168.0.4 is in the DMZ. >>> >>> So what does a tcpdump on eth0 look like when 192.168.0.4 is pinging >>> 66.102.9.104? >> >> >> >> Or is that what you showed us???? > > > If it *is* what you showed us, then can 192.168.0.4 ping the firewall? >Also, did the IP address 217.167.143.163 used to belong to another system (or at least another NIC)? If so, the upstream router may have a stale ARP cache as described in the One-to-one NAT and Proxy ARP documentation. Using the ''-e'' option on tcpdump when looking at eth0 will show if this is the case. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net