Hello I have a dnat question I have my firewall with two interfaces, the local netework and internet and I want to redirect all www request from internet to a webserver on my local network. I know that this feature i can set up wiht this line in rules: DNAT net loc:192.168.1.240 tcp 80 And I am really sure that will work fine for internet users but what about local network users? I have two questions: 1-. should I add a line in rules like this for local networks: DNAT loc loc:192.168.1.240 tcp 80 2-. should I configure the local interface in the interfaces file with routeback atribute? Thanks in advence Mario ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
1-. should I add a line in rules like this for local networks: DNAT loc loc:192.168.1.240 tcp 80>> If you are requesting from your local network, let´s say 192.168.1.0/24, >> you don´t have to touch your firewall rules, because you are locally >> connected to your webserver. >> Only the traffic from outside has to "walkthrough" the firewall. Your >> local traffic is switched by your switches without being transferred to >> your local firewall interface. There are no rules necessary for local >> access.2-. should I configure the local interface in the interfaces file with routeback atribute?>> If I take a look at this case - No.Cheers Mike -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Mario Beltran Gesendet: Donnerstag, 24. November 2005 22:01 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] a DNAT question Hello I have a dnat question I have my firewall with two interfaces, the local netework and internet and I want to redirect all www request from internet to a webserver on my local network. I know that this feature i can set up wiht this line in rules: DNAT net loc:192.168.1.240 tcp 80 And I am really sure that will work fine for internet users but what about local network users? I have two questions: 1-. should I add a line in rules like this for local networks: DNAT loc loc:192.168.1.240 tcp 80 2-. should I configure the local interface in the interfaces file with routeback atribute? Thanks in advence Mario ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
Hi, This isn''t necessary if the web server and the local client are in the same zone. If they are in the same zone and you need to access the web server using the external IP address of it, use the following rule: DNAT loc loc:192.168.1.240 tcp www - <EXT_IP> -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Mario Beltran Sent: Thursday, November 24, 2005 1:01 PM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] a DNAT question Hello I have a dnat question I have my firewall with two interfaces, the local netework and internet and I want to redirect all www request from internet to a webserver on my local network. I know that this feature i can set up wiht this line in rules: DNAT net loc:192.168.1.240 tcp 80 And I am really sure that will work fine for internet users but what about local network users? I have two questions: 1-. should I add a line in rules like this for local networks: DNAT loc loc:192.168.1.240 tcp 80 2-. should I configure the local interface in the interfaces file with routeback atribute? Thanks in advence Mario ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
but i ommited one point. my local users will try to connet to internet interface because when they will write www.mydomaim.com the DNS of my ISP will answer that the ip for this website is the ip public DNAT on the public interface will work fine too for connections request from local users? thanks in advance Mario info@kws-netzwerke.de escribió:>1-. should I add a line in rules like this for local networks: >DNAT loc loc:192.168.1.240 tcp 80 > > > >>>If you are requesting from your local network, let´s say 192.168.1.0/24, >>>you don´t have to touch your firewall rules, because you are locally >>>connected to your webserver. >>>Only the traffic from outside has to "walkthrough" the firewall. Your >>>local traffic is switched by your switches without being transferred to >>>your local firewall interface. There are no rules necessary for local >>>access. >>> >>> > >2-. should I configure the local interface in the interfaces file with >routeback atribute? > > > >>>If I take a look at this case - No. >>> >>>------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Thursday 24 November 2005 13:34, Mario Beltran wrote:> but i ommited one point. my local users will try to connet to internet > interface because when they will write www.mydomaim.com the DNS of my > ISP will answer that the ip for this website is the ip public > > DNAT on the public interface will work fine too for connections request > from local users?Please see Shorewall FAQ 2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep escribió:>On Thursday 24 November 2005 13:34, Mario Beltran wrote: > > >>but i ommited one point. my local users will try to connet to internet >>interface because when they will write www.mydomaim.com the DNS of my >>ISP will answer that the ip for this website is the ip public >> >>DNAT on the public interface will work fine too for connections request >>from local users? >> >> > >Please see Shorewall FAQ 2. > >-Tom > >Hey Tom you are the man I followed the faq2 instructions and work fine for local users Thank you very much :) ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
John Rufino
2005-Dec-22 15:26 UTC
Question error Newbie - /etc/init.d/shorewall:line 121: 1563 terminated
Hi I have installed shorewall in my debian system using apt-get install shorewall. I have gone into default and enabled startup=1. I restarted my linux box. When i try to restart shorewall it gives me an error: /etc/init.d/shorewall:line 121: 1563 terminated $SRWL restart >>$INITLOG 2>&1. Looking in init.d/shorewall there is a line esac? Im using kernel version 2.4.27. Thanks John ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Tom Eastep
2005-Dec-22 15:38 UTC
Re: Question error Newbie - /etc/init.d/shorewall:line 121: 1563 terminated
On Thursday 22 December 2005 07:26, John Rufino wrote:> Hi > > I have installed shorewall in my debian system using apt-get install > shorewall. I have gone into default and enabled startup=1. I restarted > my linux box. > > When i try to restart shorewall it gives me an error: > > /etc/init.d/shorewall:line 121: 1563 terminated $SRWL restart > > >>$INITLOG 2>&1. > > Looking in init.d/shorewall there is a line esac? > > Im using kernel version 2.4.27.What version of Shorewall did you install ("shorewall version")? Given that you are running a 2.4 kernel, you''re probably running some ancient version of Shorewall that doesn''t even have online documentation anymore. If your version of Shorewall is earlier than 2.2.3, I recommend upgrading before you continue. Then followe the instructions in the relevant QuickStart Guide for configuring Shorewall (follow the "Documentation" link from the Shorewall home page). The whole point of requiring the setting of "startup=1" is that Shorewall requires configuration before it can be successfully started. After you have read the QuickStart Guide and followed the instructions, you will also have learned that starting Shorewall is best accomplished using the command "shorewall start". That way, the progress and error messages are returned to your terminal rather than written to /var/log/shorewall-init.log. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
John Rufino
2005-Dec-23 07:03 UTC
Re: Question error Newbie - /etc/init.d/shorewall:line 121: 1563 terminated
I am using shorewall version 2.2 Tom Eastep wrote:>On Thursday 22 December 2005 07:26, John Rufino wrote: > > >>Hi >> >>I have installed shorewall in my debian system using apt-get install >>shorewall. I have gone into default and enabled startup=1. I restarted >>my linux box. >> >>When i try to restart shorewall it gives me an error: >> >> /etc/init.d/shorewall:line 121: 1563 terminated $SRWL restart >> >> >>$INITLOG 2>&1. >> >>Looking in init.d/shorewall there is a line esac? >> >>Im using kernel version 2.4.27. >> >> > >What version of Shorewall did you install ("shorewall version")? Given that >you are running a 2.4 kernel, you''re probably running some ancient version of >Shorewall that doesn''t even have online documentation anymore. If your >version of Shorewall is earlier than 2.2.3, I recommend upgrading before you >continue. > >Then followe the instructions in the relevant QuickStart Guide for configuring >Shorewall (follow the "Documentation" link from the Shorewall home page). The >whole point of requiring the setting of "startup=1" is that Shorewall >requires configuration before it can be successfully started. > >After you have read the QuickStart Guide and followed the instructions, you >will also have learned that starting Shorewall is best accomplished using the >command "shorewall start". That way, the progress and error messages are >returned to your terminal rather than written to /var/log/shorewall-init.log. > >-Tom > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Shorewall List
2005-Dec-23 18:20 UTC
RE: Question error Newbie - /etc/init.d/shorewall:line 121: 1563 terminated
I''m sure by now you realize that 2.2 isn''t supported any more and you are not likely to get help with your problem until you upgrade to Shorewall 3.0.3. It''s not hard to imagine that upgrading to a current version may even solve the problem completely.... -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of John Rufino Sent: Thursday, December 22, 2005 11:04 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Question error Newbie - /etc/init.d/shorewall:line 121: 1563 terminated I am using shorewall version 2.2 Tom Eastep wrote:>On Thursday 22 December 2005 07:26, John Rufino wrote: > > >>Hi >> >>I have installed shorewall in my debian system using apt-get install >>shorewall. I have gone into default and enabled startup=1. I restarted >>my linux box. >> >>When i try to restart shorewall it gives me an error: >> >> /etc/init.d/shorewall:line 121: 1563 terminated $SRWL restart >> >> >>$INITLOG 2>&1. >> >>Looking in init.d/shorewall there is a line esac? >> >>Im using kernel version 2.4.27. >> >> > >What version of Shorewall did you install ("shorewall version")? Giventhat>you are running a 2.4 kernel, you''re probably running some ancientversion of>Shorewall that doesn''t even have online documentation anymore. If your >version of Shorewall is earlier than 2.2.3, I recommend upgradingbefore you>continue. > >Then followe the instructions in the relevant QuickStart Guide forconfiguring>Shorewall (follow the "Documentation" link from the Shorewall homepage). The>whole point of requiring the setting of "startup=1" is that Shorewall >requires configuration before it can be successfully started. > >After you have read the QuickStart Guide and followed the instructions,you>will also have learned that starting Shorewall is best accomplishedusing the>command "shorewall start". That way, the progress and error messagesare>returned to your terminal rather than written to/var/log/shorewall-init.log.> >-Tom > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Tom Eastep
2005-Dec-23 20:01 UTC
Re: Question error Newbie - /etc/init.d/shorewall:line 121: 1563 terminated
On Friday 23 December 2005 10:20, Shorewall List wrote:> I''m sure by now you realize that 2.2 isn''t supported any more and you > are not likely to get help with your problem until you upgrade to > Shorewall > 3.0.3. It''s not hard to imagine that upgrading to a current version may > even solve the problem completely....I''m willing to help people get 2.2 running -- I''m just not going to read a lot of code to help solve their problem and if there''s a Shorewall bug in 2.2, there won''t be any updates from me. 2.2.3 is still the current version for Sarge so Debian bug reports against it are accepted. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key