Hi all, I have this situation. Our branches are connected to the head office using VPN and branches access the internet through HQ''s proxy. The topology is like this: branch: 192.168.10.x --> branch router 192.168.10.1 --> HQ router 192.168.1.1 --> HQ proxy 192.168.1.250 --> Internet. In the proxy, we add this static routing: ip route add 192.168.10.0/24 via 192.168.1.1 ip route add 192.168.11.0/24 via 192.168.1.1 etc.... The proxy is FC4 with shorewall-2.4.6-1.fc4 and squid-2.5.STABLE11-3.FC4 Currently, all seems well. Branches can browse the internet (I fill in the proxy IP in the browser). Also they can access the mail server located on the same proxy box. The problem is: They cannot access their mailboxes at our ISP using Outlook Express. There is no problem if they access the mailserver on the proxy box. From the branches, I can telnet 192.168.1.250 110, but I cannot telnet pop.myisp.net 110. Timed out. Is there anything I should do on the proxy box regarding shorewall or anything else? Thank you very much, -- Fajar Priyanto | Reg''d Linux User #327841 | Linux tutorial http://linux2.arinet.org 08:15:55 up 11 min, 2.6.14-1.1653_FC4 GNU/Linux Let''s use OpenOffice. http://www.openoffice.org ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Friday 23 December 2005 08:29 am, Fajar Priyanto wrote:> Hi all, > I have this situation. > Our branches are connected to the head office using VPN and branches access > the internet through HQ''s proxy. The topology is like this: > branch: 192.168.10.x --> branch router 192.168.10.1 --> HQ router > 192.168.1.1 --> HQ proxy 192.168.1.250 --> Internet. > > In the proxy, we add this static routing: > ip route add 192.168.10.0/24 via 192.168.1.1 > ip route add 192.168.11.0/24 via 192.168.1.1 > etc.... > > The proxy is FC4 with shorewall-2.4.6-1.fc4 and squid-2.5.STABLE11-3.FC4 > > Currently, all seems well. Branches can browse the internet (I fill in the > proxy IP in the browser). Also they can access the mail server located on > the same proxy box. > > The problem is: > They cannot access their mailboxes at our ISP using Outlook Express. There > is no problem if they access the mailserver on the proxy box. > > From the branches, I can telnet 192.168.1.250 110, but I cannot telnet > pop.myisp.net 110. Timed out. > > Is there anything I should do on the proxy box regarding shorewall or > anything else? > > Thank you very much,I notice this messages on the proxy box: Dec 22 15:02:42 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=210.210.145.40 LEN=60 TOS=0x00 PREC=0x00 TTL=123 ID=10254 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=768 Dec 22 15:02:48 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=210.210.145.40 LEN=60 TOS=0x00 PREC=0x00 TTL=123 ID=10255 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=1024 Dec 22 15:18:02 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=112 DF PROTO=TCP SPT=1038 DPT=5050 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:18:05 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=113 DF PROTO=TCP SPT=1038 DPT=5050 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:18:11 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=114 DF PROTO=TCP SPT=1038 DPT=5050 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:18:23 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=115 DF PROTO=TCP SPT=1039 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:18:26 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=116 DF PROTO=TCP SPT=1039 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:18:32 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=117 DF PROTO=TCP SPT=1039 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:20:38 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=136 DF PROTO=TCP SPT=1045 DPT=37 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:20:41 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=137 DF PROTO=TCP SPT=1045 DPT=37 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:20:47 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=138 DF PROTO=TCP SPT=1045 DPT=37 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:20:59 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=216.155.193.159 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=140 DF PROTO=TCP SPT=1046 DPT=5050 WINDOW=16384 RES=0x00 SYN URGP=0 Dec 22 15:21:02 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 SRC=192.168.10.30 DST=216.155.193.159 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=141 DF PROTO=TCP SPT=1046 DPT=5050 WINDOW=16384 RES=0x00 SYN URGP=0 tcp 5050 is when I try to run yahoo messenger on the branch office. 192.168.10.30 is the PC on the branch. But regarding tcp 110, there is no message. -- Fajar Priyanto | Reg''d Linux User #327841 | Linux tutorial http://linux2.arinet.org 08:55:49 up 51 min, 2.6.14-1.1653_FC4 GNU/Linux Let''s use OpenOffice. http://www.openoffice.org ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Thursday 22 December 2005 17:29, Fajar Priyanto wrote:> > Is there anything I should do on the proxy box regarding shorewall or > anything else? >How could we possibly know? You haven''t said ONE WORD about what your Shorewall configuration looks like. All you have shown us about "anything else" is TWO ROUTES. Do you seriously think that is all we need to solve your problem? Fajar -- On the Shorewall site, there are very specific instructions for asking for help (follow the "Support" link from the home page). Please follow those instructions; otherwise, you are just wasting your time and ours. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Thursday 22 December 2005 17:29, Fajar Priyanto wrote: > >>Is there anything I should do on the proxy box regarding shorewall or >>anything else? >> > > How could we possibly know? You haven''t said ONE WORD about what your > Shorewall configuration looks like. All you have shown us about "anything > else" is TWO ROUTES. Do you seriously think that is all we need to solve your > problem?Be nice, Tom... ;-) Fajar - i''ll reply with some suggestions shortly. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Fajar Priyanto wrote:> ... >>Our branches are connected to the head office using VPN and branches access >>the internet through HQ''s proxy. The topology is like this: >>branch: 192.168.10.x --> branch router 192.168.10.1 --> HQ router >>192.168.1.1 --> HQ proxy 192.168.1.250 --> Internet.Do your routers run Shorewall, or only the proxy?>>... >>The problem is: >>They cannot access their mailboxes at our ISP using Outlook Express. There >>is no problem if they access the mailserver on the proxy box. >> >>From the branches, I can telnet 192.168.1.250 110, but I cannot telnet >>pop.myisp.net 110. Timed out.Where do your branch PCs get their DNS?>>Is there anything I should do on the proxy box regarding shorewall or >>anything else?It''s not likely the proxy box where your problem is. If your branches are connecting via VPN, you should probably let them connect directly from the branch PCs, through the branch router to the ISP. Then head office router and the proxy need not be involved. Another alternative is to provide users the ability to run fetchmail on the proxy server (webmin is a good way to do this), and then their ISP email and their corporate email would come into the same account.> ... > I notice this messages on the proxy box: > Dec 22 15:02:42 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 > SRC=192.168.10.30 DST=210.210.145.40 LEN=60 TOS=0x00 PREC=0x00 TTL=123 > ID=10254 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=768That''s something trying to ping pop.cbn.net.id - can''t see why they would be doing that via your proxy unless *all* packets are routed through there.> ... > Dec 22 15:18:23 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 > SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=115 > DF PROTO=TCP SPT=1039 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0That looks like you''ve used telnet and forgotten the port 110 on the end.> DF PROTO=TCP SPT=1045 DPT=37 WINDOW=16384 RES=0x00 SYN URGP=0 > Dec 22 15:20:41 adsl kernel: Shorewall:loc2net:DROP:IN=eth1 OUT=eth0 > SRC=192.168.10.30 DST=66.163.181.157 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=137 > DF PROTO=TCP SPT=1045 DPT=37 WINDOW=16384 RES=0x00 SYN URGP=0Looks like Yahoo messenger is trying to use timep, or perhaps hide its traffic as timep?> ... > tcp 5050 is when I try to run yahoo messenger on the branch office. > 192.168.10.30 is the PC on the branch.Configure your branch PCs to use a proxy for Yahoo messenger. Then all the port 5050 traffic will come from the proxy. BTW, i also recommend making staff use GAIM for Yahoo messenger - their current messenger client is about 90% advertising.> But regarding tcp 110, there is no message.Probably because you forgot to add it on the end of the telnet command. :-) I''d suggest breaking up your branch PCs into different zones, and adding policies for each of these zones, so it''s easy to distinguish them from the Shorewall zone2zone tag. Then you''ll also need a branch2net (or loc2net if you decide not to have separate zones for your branches) accept rule for tcp 110. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Friday 23 December 2005 10:35 am, Tom Eastep wrote:> On Thursday 22 December 2005 17:29, Fajar Priyanto wrote: > > Is there anything I should do on the proxy box regarding shorewall or > > anything else? > > How could we possibly know? You haven''t said ONE WORD about what your > Shorewall configuration looks like. All you have shown us about "anything > else" is TWO ROUTES. Do you seriously think that is all we need to solve > your problem? > > Fajar -- On the Shorewall site, there are very specific instructions for > asking for help (follow the "Support" link from the home page). Please > follow those instructions; otherwise, you are just wasting your time and > ours.Ugh, yes, I''m very sorry Tom. My bad, I guess the pressure got me short sighted. Anyway, I visited the branch office again this morning to troubleshoot the problem, and it turns out that THAT SPECIFIC pc is the culprit. It''s windows XP has been damaged by viruses and it affects it''s Outlook Express too. Using my "clean" windows XP on the notebook I am able to retrieve pop3 mails from the ISP server. My apologize again to you, and all. Merry Christmas and Happy New Year. -- Fajar Priyanto | Reg''d Linux User #327841 | Linux tutorial http://linux2.arinet.org 13:06:54 up 6 min, 2.6.14-1.1653_FC4 GNU/Linux Let''s use OpenOffice. http://www.openoffice.org ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Friday 23 December 2005 11:08 am, Paul Gear wrote:> Do your routers run Shorewall, or only the proxy?I''m not sure, it''s a Cisco 1700 series.> Where do your branch PCs get their DNS?From the proxy/gateway pc at the HQ: 192.168.1.250> That''s something trying to ping pop.cbn.net.id - can''t see why they > would be doing that via your proxy unless *all* packets are routed > through there.That was me yesterday, trying to ping the ISP pop3 server> That looks like you''ve used telnet and forgotten the port 110 on the end.You''re right. Because of the viruses I couldn''t use putty. So, I tried to use telnet from XP, but apparently forgot to type 110.> Looks like Yahoo messenger is trying to use timep, or perhaps hide its > traffic as timep?Very possibly. No wonder although I have blocked tcp 5050, some clients in the HQ are still able to do ym.> > But regarding tcp 110, there is no message. > > Probably because you forgot to add it on the end of the telnet command. > :-) > > I''d suggest breaking up your branch PCs into different zones, and adding > policies for each of these zones, so it''s easy to distinguish them from > the Shorewall zone2zone tag. Then you''ll also need a branch2net (or > loc2net if you decide not to have separate zones for your branches) > accept rule for tcp 110. > > PaulI''ll learn how to do that from shorewall docs. Thank you very much Paul. You''re very kind. (See my other email regarding this problem. It turns out that it''s viruses related). Thank you, -- Fajar Priyanto | Reg''d Linux User #327841 | Linux tutorial http://linux2.arinet.org 13:11:28 up 11 min, 2.6.14-1.1653_FC4 GNU/Linux Let''s use OpenOffice. http://www.openoffice.org ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click