Hi, I''ve a little problem, I hope so.. First a hint, I haven''t a static IP - Adress and so I used a dyndns Provider. In DMZ runs a sftp server. It should accessible from net. My router is forwarding the traffic from port 22 to the machine in DMZ. Now, in basic installation I have rfc1918-dropping configured by net interface. My problem: If rfc1918 dropping is on I can''t receive the machine in DMZ. If I switch it off, it works fine. In logfile (after dropping) is the SRC=83.76.254.X, not a private adress. Where is the problem. Sorry for my english. Regards Michael
Michael Menkhoff wrote:> > Hi, > > I''ve a little problem, I hope so.. > > First a hint, I haven''t a static IP - Adress and so I used a dyndns > Provider. > > In DMZ runs a sftp server. It should accessible from net. My router is > forwarding the traffic from port 22 to the machine in DMZ. Now, in > basic installation I have rfc1918-dropping configured by net > interface. > > My problem: > > If rfc1918 dropping is on I can''t receive the machine in DMZ. If I > switch it off, it works fine. > > In logfile (after dropping) is the SRC=83.76.254.X, not a private > adress. > > Where is the problem.Hi Michael, You need to update either your RFC1918 file or the Bogons file, depending on which version of Shorewall your running.. http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918 http://shorewall.net/pub/shorewall/errata/2.0.8/bogons Use the Errata page for periodical checking on updates.. http://shorewall.net/errata.htm> Sorry for my english.Your English is just fine. :) Regards, -- Patrick Benson Stockholm, Sweden
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote: | | If rfc1918 dropping is on I can''t receive the machine in DMZ. If I | switch it off, it works fine. | | In logfile (after dropping) is the SRC=83.76.254.X, not a private | adress. | | Where is the problem. | Your rfc1918 file is out of date. See http://shorewall.net/errata.htm to download the current one. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBkNf+O/MAbZfjDLIRAhfnAKC7f8yntbuwfcdSPOaDI8OSct6OOgCcDyqm tVjyH74JPV5JKRUjqbxzMQY=KNZN -----END PGP SIGNATURE-----
Hi, I''ve loaded the newest bogons and rfc1918 file from yours, but the problem is the same. I''m using version 2.0.9 Michael TE> -----BEGIN PGP SIGNED MESSAGE----- TE> Hash: SHA1 TE> Michael Menkhoff wrote: TE> | TE> | If rfc1918 dropping is on I can''t receive the machine in DMZ. If I TE> | switch it off, it works fine. TE> | TE> | In logfile (after dropping) is the SRC=83.76.254.X, not a private TE> | adress. TE> | TE> | Where is the problem. TE> | TE> Your rfc1918 file is out of date. See TE> http://shorewall.net/errata.htm to TE> download the current one. TE> - -Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote: | Hi, | | I''ve loaded the newest bogons and rfc1918 file from yours, but the | problem is the same. | I''m using version 2.0.9 | Please submit a proper problem report -- see http://shorewall.net/support.htm for instructions. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBkOHKO/MAbZfjDLIRAqSJAKCjQkYsWLYCTgqJNFCsY//Dfcj4IQCeKWrQ I2/nr94zog3UKx+E7zVUqGY=I8fE -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote: | Hi, | | I''ve loaded the newest bogons and rfc1918 file from yours, but the | problem is the same. | I''m using version 2.0.9 | One note -- if you are running 2.0.9, you do NOT need the new rfc1918 file since that file will never change. You only need the new bogons file and then only if you are using ''nobogons''. Also, be sure that you install them in /usr/share/shorewall and that you do not have any old files by those names in /etc/shorewall. If you need to modify one of the files for some reason, copy it to /etc/shorewall and modify the copy. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBkOnuO/MAbZfjDLIRAub4AJ93FE6eyJuHVOKLZxVYCUqxpGq8SgCfajtV Uxy0Aw2/npvDFsKqTEc/j+s=WNyB -----END PGP SIGNATURE-----
sorry, I''m not sure if I understood it right. I don''t using ''nobogons'' option now. I''m using rfc19180 only, but I need access from several private adresses in net. Normally rfc - options drops any private adresses and so on I need entries in rfc1918 file. Was it right ? I think it was right, but after entries was maded it works fine, private adresses cames in. Now I have the problem described below. Another question, I don''t understand: Which files is shorewall using ? Files in directory /usr/share/shorewall or in /etc/shorewall !? Are there priorities for using files, first it looks at /usr/share/shorewall and then in /etc/shorewall. Thx. Michael TE> -----BEGIN PGP SIGNED MESSAGE----- TE> Hash: SHA1 TE> Michael Menkhoff wrote: TE> | Hi, TE> | TE> | I''ve loaded the newest bogons and rfc1918 file from yours, but the TE> | problem is the same. TE> | I''m using version 2.0.9 TE> | TE> One note -- if you are running 2.0.9, you do NOT need the new rfc1918 TE> file since that file will never change. You only need the new bogons TE> file and then only if you are using ''nobogons''. TE> Also, be sure that you install them in /usr/share/shorewall and that you TE> do not have any old files by those names in /etc/shorewall. If you need TE> to modify one of the files for some reason, copy it to /etc/shorewall TE> and modify the copy. TE> - -Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote: | sorry, I''m not sure if I understood it right. | | I don''t using ''nobogons'' option now. I''m using rfc19180 only, but I | need access from several private adresses in net. Normally rfc - | options drops any private adresses and so on I need entries in | rfc1918 file. Was it right ? We don''t know -- your entire problem report just a few words from which we learned that you have some sort of problem with setting the rfc1918 option and that you are now getting some log message referring to IP address 83.76.254.x. And that is all that we know. With only that to go on, we *guessed* that the problem was a stale rfc1918/bogons file because the IP range 83.0.0.0/8 was resently allocated by the IANA. Again, without a proper problem report, we can''t help you. | | Another question, I don''t understand: | | Which files is shorewall using ? Files in directory | /usr/share/shorewall or in /etc/shorewall !? | | Are there priorities for using files, first it looks at | /usr/share/shorewall and then in /etc/shorewall. The order in which Shorewall searches directories is determined by the setting of CONFIG_PATH in shorewall.conf. The default is: /etc/shorewall /usr/share/shorewall - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBkQy1O/MAbZfjDLIRAhXDAJ0RaKCRLZYUZhZ9R/gM/p+BqK6DzgCgk+/V zFWttgxD+JJJl3eu0pMf/NY=QRjf -----END PGP SIGNATURE-----
Thanks for your tries to help me. I found the problem myself and it runs. Michael TE> -----BEGIN PGP SIGNED MESSAGE----- TE> Hash: SHA1 TE> Michael Menkhoff wrote: TE> | sorry, I''m not sure if I understood it right. TE> | TE> | I don''t using ''nobogons'' option now. I''m using rfc19180 only, but I TE> | need access from several private adresses in net. Normally rfc - TE> | options drops any private adresses and so on I need entries in TE> | rfc1918 file. Was it right ? TE> We don''t know -- your entire problem report just a few words from which TE> we learned that you have some sort of problem with setting the rfc1918 TE> option and that you are now getting some log message referring to IP TE> address 83.76.254.x. And that is all that we know. With only that to go TE> on, we *guessed* that the problem was a stale rfc1918/bogons file TE> because the IP range 83.0.0.0/8 was resently allocated by the IANA. TE> Again, without a proper problem report, we can''t help you. TE> | TE> | Another question, I don''t understand: TE> | TE> | Which files is shorewall using ? Files in directory TE> | /usr/share/shorewall or in /etc/shorewall !? TE> | TE> | Are there priorities for using files, first it looks at TE> | /usr/share/shorewall and then in /etc/shorewall. TE> The order in which Shorewall searches directories is determined by the TE> setting of CONFIG_PATH in shorewall.conf. The default is: TE> /etc/shorewall TE> /usr/share/shorewall TE> - -Tom