Okay, no one had any idea concerning my Radmin question, which I still haven''t figured out. However, I am now trying to figure out an FXP problem. All of the needed details are listed below the description problem. Problem: I have a local windows XP pro computer running FlashFXP behind shorewall 2.0.9 (unpatched) with only two interfaces (ppp0 and eth1) as loc:192.168.1.5. The server is glftpd and runs on the same computer as shorewall. When I initiate an FXP transfer from a server outside the firewall to my server behind the firewall, I am getting a dupe error saying that I have duped myself. Is there a rule or policy which eliminates the oddity? I know the file was never added. (Of course, I am also having speed ramping problems since installing shorewall 2.0.9) I have read the shorewall documents and searched several places for FXP problems and FTP problems, but I haven''t found a solution. needed information: [root@arienb root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:20:ed:76:dc:82 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:cc:82:50:16 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1454 qdisc pfifo_fast qlen 3 link/ppp inet 220.144.146.14 peer 210.151.255.103/32 scope global ppp0 [root@arienb root]# ip route show 210.151.255.103 dev ppp0 proto kernel scope link src 220.xxx.xxx.xxx (deleted by me) 192.168.1.0/24 dev eth1 scope link 169.254.0.0/16 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 210.151.255.103 dev ppp0 shorewall policies: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT - $FW net ACCEPT - # # THE FOLLOWING POLICY MUST BE LAST # $FW loc ACCEPT - loc $FW ACCEPT - net all DROP info all all DROP info #LAST LINE -- DO NOT REMOVE shorewall rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT all $FW tcp 22 ACCEPT all $FW tcp 10101 #glftpd server port ACCEPT all $FW tcp 113 ACCEPT net $FW tcp 53 ACCEPT net $FW udp 53 ACCEPT all $FW tcp 25000:60000 #needed for TLS passive connections DNAT net loc:192.168.1.5 tcp 90 #htthost - httport connection port DNAT net loc:192.168.1.5 tcp 4662 DNAT net loc:192.168.1.5 udp 8930 DNAT net loc:192.168.1.5 tcp 1024:5000 #irc passive ports (irc modules are loaded, but don''t work) #RADMIN DNAT net loc:192.168.1.5 tcp 4899 #Radmin port #Sserver DNAT net loc:192.168.1.55 tcp 80 #basic Mac web server #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian wrote:> Okay, no one had any idea concerning my Radmin question, which I still > haven''t figured out.Frankly, I didn''t see a Radmin problem report from you that gave me enough information to even hazard a guess as to what your problem was, let alone what the cause might be. You mentioned httport and htthost but from the information that you gave us, I couldn''t have drawn a topological diargram of the hosts involved if my life depended on it.> (Of course, I am also having > speed ramping problems since installing shorewall 2.0.9) I have read the > shorewall documents and searched several places for FXP problems and FTP > problems, but I haven''t found a solution.Sounds like you made a poor decision to replace your previous Corega router with a Linux box -- I personally would go back if I were you because if this is the attitude that you are going to take when asking for free help with a free product, I think you will be much happier paying to get your questions answered. - -Tom PS -- as you your FXP problem, as far as I know there are no current patches to Netfilter to handle FXP. There have been some submitted in the past but they all opened gaping security holes. If you do a Google search of "iptables nat fxp" you might find something you can use. - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZ1UqO/MAbZfjDLIRAocrAJwKS/AlD6dWHHto5nmjg9ck5HN1dQCeLB2o awS6ZGPgZq94jhYvrbRIvWs=JAbS -----END PGP SIGNATURE-----
Sorry if I seemed rude! I was more frustrated that I couldn''t find anything to help me out, and my "mouth" has always gotten the better of me. I had to replace the Corega because it had a melt down and no commercial router that I could get in Japan seems to work for a Mac, Windows and Linux all at one time. It has been a very expensive trip to get to Shorewall. I didn''t know how to explain the radmin situation better than I did. In essence, my university uses a proxy server on port 8080 and blocks all TCP connections. So from behind the proxy, initiate a tunnel through the proxy server and connects to my windows machine behind Shorewall on port 90. This, I guess, then interprets the TCP information and sends it to the proper place. The tunnel works because I am able to initiate a SSH connection via the tunnel on port 22 and I can connect to my glftpd server on port 10101. Actually the only thing that stopped working was Radmin. SSH uses 127.0.0.1 ->httport (which has my no-ip dns address in it and port 22) -> proxy server (port 8080) ->Shorewall (port 90)-> htthost -> no-ip -> back to linux box port 22. The other services like Radmin (port 4899) work the same way. Again I am truly sorry for being rude or inconsiderate of the time and energy you have put into this. I seem to have found all of the crazy things at once and am desperate to understand this so that I can help myself more. Sincerely, Brian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian wrote:> Sorry if I seemed rude! I was more frustrated that I couldn''t findanything> to help me out, and my "mouth" has always gotten the better of me.I''ll try to help but I won''t be of much help today -- We are on vacation and are driving back home today.> > I didn''t know how to explain the radmin situation better than I did. In > essence, my university uses a proxy server on port 8080 and blocks all TCP > connections. So from behind the proxy, initiate a tunnel through theproxy> server and connects to my windows machine behind Shorewall on port 90. > This, I guess, then interprets the TCP information and sends it to the > proper place. The tunnel works because I am able to initiate a SSH > connection via the tunnel on port 22 and I can connect to my glftpd server > on port 10101. Actually the only thing that stopped working was Radmin. > > SSH uses 127.0.0.1 ->httport (which has my no-ip dns address in it andport> 22) -> proxy server (port 8080) ->Shorewall (port 90)-> htthost ->no-ip ->> back to linux box port 22. > > The other services like Radmin (port 4899) work the same way.Do you always connect to port 90 on the Shorewall box or do you connect to a different port for Radmin? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZ/JIO/MAbZfjDLIRAsYFAKDA1dxgOhYLfAE3B7toYldSdpeM3wCePh8p eMrAWGbPD18mwkG5dTfSfio=N5Gz -----END PGP SIGNATURE-----
Thanks Tom and sorry to disturb your vacation. The httport always connects to htthost via port 90, but then it sends a signal to connect to port 4899. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Saturday, October 09, 2004 11:14 PM Subject: Re: [Shorewall-users] fxp initiated behind shorewall> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brian wrote: > > Sorry if I seemed rude! I was more frustrated that I couldn''t find > anything > > to help me out, and my "mouth" has always gotten the better of me. > > I''ll try to help but I won''t be of much help today -- We are on vacation > and are driving back home today. > > > > I didn''t know how to explain the radmin situation better than I did. In > > essence, my university uses a proxy server on port 8080 and blocks allTCP> > connections. So from behind the proxy, initiate a tunnel through the > proxy > > server and connects to my windows machine behind Shorewall on port 90. > > This, I guess, then interprets the TCP information and sends it to the > > proper place. The tunnel works because I am able to initiate a SSH > > connection via the tunnel on port 22 and I can connect to my glftpdserver> > on port 10101. Actually the only thing that stopped working was Radmin. > > > > SSH uses 127.0.0.1 ->httport (which has my no-ip dns address in it and > port > > 22) -> proxy server (port 8080) ->Shorewall (port 90)-> htthost -> > no-ip -> > > back to linux box port 22. > > > > The other services like Radmin (port 4899) work the same way. > > Do you always connect to port 90 on the Shorewall box or do you connect > to a different port for Radmin? > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBZ/JIO/MAbZfjDLIRAsYFAKDA1dxgOhYLfAE3B7toYldSdpeM3wCePh8p > eMrAWGbPD18mwkG5dTfSfio> =N5Gz > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian wrote:> Thanks Tom and sorry to disturb your vacation. > > The httport always connects to htthost via port 90, but then it sends a > signal to connect to port 4899. >Then I don''t understand how the Shorewall box could possibly be the source of the problem -- all it is seeing is a connection from httport on tcp port 90 which it forwards to htthost. You can confirm that the connection to port 90 is successful by "shorewall show connections" and look for the relevant connection -- the connection should be in the ESTABLISHED state. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBaHbqO/MAbZfjDLIRAijGAJ9NM1fVweC4RypFPMI37tWUnWyW3gCfaQiu zSpJwVl8tSu2NH30Yx+AUS4=x+I3 -----END PGP SIGNATURE-----
Brian wrote:> Okay, no one had any idea concerning my Radmin question, which I still > haven''t figured out. However, I am now trying to figure out an FXP problem. > All of the needed details are listed below the description problem.I replied to your question according your Radmin question, since you didn''t reply to that thread anymore it is logic to think you''re problem is solved. -- Groeten, Peter Backup not found: (A)bort (R)etry (P)anic - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 21 days, 14 hours and 23 minutes, 0 users logged in.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Brian wrote: > >>>Thanks Tom and sorry to disturb your vacation. >>> >>>The httport always connects to htthost via port 90, but then it sends a >>>signal to connect to port 4899. >>> > > > Then I don''t understand how the Shorewall box could possibly be the > source of the problem -- all it is seeing is a connection from httport > on tcp port 90 which it forwards to htthost. > > You can confirm that the connection to port 90 is successful by > "shorewall show connections" and look for the relevant connection -- the > connection should be in the ESTABLISHED state. >Brian, Any success in debugging this? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBbGJvO/MAbZfjDLIRAigOAKDGh/IFWp1j7iXOzsBsRICR/9nVRgCguT0m 46wd6lOna1XJe9hoT37G4F0=cxy8 -----END PGP SIGNATURE-----
Tom Eastep wrote:> > Brian, > > Any success in debugging this? > > - -Tom > - --Thanks for following up Tom. I have tried reinstalling Radmin to see if something went rogue and I have contacted Radmin support. However, no one seems to know why everything else through the tunnel works. I had a friend check from a "normal" internet setup and he was able to connect. So, I think that Radmin has decided something about the tunnel bothers it. It is confusing because before shorewall, there weren''t any problems... My next step is to look more into the tunnel... Maybe the tunnel had a cave-in. Again thanks for you kindness and I will keep searching for an answer... Brian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian wrote:> > Thanks for following up Tom. I have tried reinstalling Radmin to see if > something went rogue and I have contacted Radmin support. However, no one > seems to know why everything else through the tunnel works. I had afriend> check from a "normal" internet setup and he was able to connect. So, I > think that Radmin has decided something about the tunnel bothers it.It is> confusing because before shorewall, there weren''t any problems... My next > step is to look more into the tunnel... Maybe the tunnel had a cave-in. >Are you perhaps setting CLAMPMSS=Yes in your shorewall.conf? If so, you might try setting CLAMPMSS=No and see if that changes anything. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBbXXyO/MAbZfjDLIRAmiPAKCDF5GsfQaJPWKfZAcetrRmoR0XqQCgwk7M Ilk051C9p1v8vE7NT47Zwg0=K6hh -----END PGP SIGNATURE-----