I have a lan with shorewall running as firewall and two local machines, where 10.1.1.2 and 10.1.1.15 are two internal mail servers and where 124.124.124.124 and 123.123.123.123 are the external IPs for the mail servers. The two mail servers need to communicate with each other via smtp (for sending mail from domains hosted on one to the other) but its giving issues. Specificaly when one server tries to connect to the other it looks up the record and get the external IP address and therefor tries to connect via that address. So I''m trying to set up the following rule to direct the traffic correctly, as it cannot conenct directly using the external IP address. DNAT lan:10.1.1.2 lan:10.1.1.15 tcp smtp - 124.124.124.124 DNAT lan:10.1.1.15 lan:10.1.1.2 tcp smtp - 123.123.123.123 This (in my view) should route traffic from 10.1.1.2 directed to 124.124.124.124 to 10.1.1.15 and vise versa. Am I making a mistake? As the connections still arent allowed.
----- Original Message ----- From: "Kevin Dermody" <kevind@go2.ie> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, June 08, 2005 08:50 Subject: [Shorewall-users] DNAT Issue> I have a lan with shorewall running as firewall and two local machines, > where 10.1.1.2 and 10.1.1.15 are two internal mail servers and where > 124.124.124.124 and 123.123.123.123 are the external IPs for the mail > servers. > > The two mail servers need to communicate with each other via smtp > (for sending mail from domains hosted on one to the other) but its > giving issues. > > Specificaly when one server tries to connect to the other it looks up the > record and get the external IP address and therefor tries to connect > via that address. > > So I''m trying to set up the following rule to direct the traffic > correctly, as > it cannot conenct directly using the external IP address. > > DNAT lan:10.1.1.2 lan:10.1.1.15 tcp smtp - > 124.124.124.124 > DNAT lan:10.1.1.15 lan:10.1.1.2 tcp smtp - > 123.123.123.123 > > This (in my view) should route traffic from 10.1.1.2 directed to > 124.124.124.124 to 10.1.1.15 and vise versa. > > Am I making a mistake? As the connections still arent allowed.Can you post your config files please, this sounds like a FAQ http://www.shorewall.net/FAQ.htm#faq2 Think your missing routeback for the interface in the interface file or maybe the masq statement in masq Jerry
Hello, i want to blacklist some ips (127000 ipranges) :) and shorewall needs really long to load this... or better it crashes my pc (450 MHz, no X) after loading some thousands of them. under win there is a prog called portowall that should work with that much ips.... can i realise this with shorewall or is there a prog available under linux that can do this for me? greets Peter
> Hello, > > i want to blacklist some ips (127000 ipranges) :) and shorewall needsreally> long to load this... or better it crashes my pc (450 MHz, no X) afterloading> some thousands of them. under win there is a prog called portowall that > should work with that much ips.... can i realise this with shorewall oris> there a prog available under linux that can do this for me? > > greets > PeterThis is in the mailing list archive http://lists.shorewall.net/ July 2004: http://www.google.com/search?ie=UTF-8&oe=UTF-8&as_sitesearch=lists.shorewal l.net&q=blacklist+speed Dug though my mail for you, highlights below: quote/> This is FAQ 34. > > a) Use a lightweight shell like ash or dash (see SHOREWALL_SHELL in > shorewall.conf). > > b) Use the -q option to [re]start. >I have a few minutes so I''ll try to recap. a) The bulk of the time spent during ''shorewall [re]start'' is in iptables if you are using a lightweight shell such as ''ash''. b) Adding rules to a long chain in iptables is expensive. IIRC, there was a fix created for that at some point which make such additions faster. c) In my opinion, having a huge blacklist is not useful. By the time you get an address blacklisted, the damage if any is done and repeat offenders are rare. d) A large blacklist takes forever to load and can impact firewall performance dramatically (BLACKLISTNEWONLY=Yes can help). e) You can load your blacklist after ''shorewall [re]start'' completes by: 1. Placing an empty blacklist file in /etc/shorewall 2. Placing your real blacklist file in /etc/blacklist/blacklist 3. In /etc/shorewall/start, place: CONFIG_PATH=/etc/blacklist:$CONFIG_PATH blacklist_refresh -Tom -- /quote You might want to look at ipsets also. Jerry