hi, My firewall is appearing a weird problem recently. it cannot perform the MASQ/NDAT properly on specific port. i have two fw woking in failover mode. they have exactly same configuration, but one cann''t perform MASQ properly and the other cann''t perform DNAT properly when the fw failover. the configuration file at first is as following: interfaces: publc eth0 detect arp_filter privt eth3 detect arp_filter masq: eth0 eth3 Everything works fine when the fw failover, i found our internal pbx cannot be masqed normally with iax port (4569), the traffic were going out without masqed. As our pbx is an internal server, so it has to be masqed. To make it work, i complicated the rules to let it performs a DNAT first, i append the following rules at the rules file: DNAT privt:192.168.101.5 publc:204.14.17.15 udp 4569 4569 fw - - where $fw is our eth0 ip address. then it works fine without problem. however, when the fw failover again (they are keeping the same configuration at any time), the fw can''t perform the DNAT and the packets disappeared when it entering eth3. i can see them through the tcpdump, but can''t see any packets at eth0. Any idea of this? any help is highly appreciated. kent
On Tuesday 06 December 2005 14:39, xin lu wrote:> hi, > > My firewall is appearing a weird problem recently. it cannot perform the > MASQ/NDAT properly on specific port. i have two fw woking in failover mode. > they have exactly same configuration, but one cann''t perform MASQ properly > and the other cann''t perform DNAT properly when the fw failover. the > configuration file at first is as following: > > interfaces: > publc eth0 detect arp_filter > privt eth3 detect arp_filter > masq: > eth0 eth3 > > Everything works fine when the fw failover, i found our internal pbx cannot > be masqed normally with iax port (4569), the traffic were going out without > masqed. As our pbx is an internal server, so it has to be masqed. To make > it work, i complicated the rules to let it performs a DNAT first, i append > the following rules at the rules file: > > DNAT privt:192.168.101.5 publc:204.14.17.15 udp 4569 4569 fw - - > > where $fw is our eth0 ip address. then it works fine without problem.I would need to see a real problem report before I could even guess what the problem is. Follow the appropriate link at the bottom of http://www.shorewall.net/support.html to find instructions for submitting a help request that involves a connection problem.> however, when the fw failover again (they are keeping the same > configuration at any time), the fw can''t perform the DNAT and the packets > disappeared when it entering eth3. i can see them through the tcpdump, but > can''t see any packets at eth0. Any idea of this? any help is highly > appreciated. >When you study the failover problem using tcpdump, I recommend using the -e option and verifying that the pbx is using the correct link level address for the default gateway. Sounds like it isn''t. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
hi, sorry, i forgot to offer my shorewall and system''s version. shorewall: 2.4.5 System: 2.6.12-1.1398_FC4 It looks like it''s an on/off problem. when the fw failover yesterday again, the masq on other fw is also working, unfortunately, both DNAT rules not working. So my question is what''s the root cause of this problem ? can any parameter be tuned to make it work normally? Thx ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Wednesday 07 December 2005 08:09, xin lu wrote:> hi, > > sorry, i forgot to offer my shorewall and system''s version. > > shorewall: 2.4.5 > System: 2.6.12-1.1398_FC4 > > It looks like it''s an on/off problem. when the fw failover yesterday > again, the masq on other fw is also working, unfortunately, both DNAT > rules not working. So my question is what''s the root cause of this > problem ? can any parameter be tuned to make it work normally? Thx >I think you are looking at the problem the wrong way -- rather than thinking of it as a problem with a specific port, you should be thinking of it as a problem with a specific *device* (the PBX). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key