I am trying to print to a remote printer. The setup is a follows: A typical 3 interface firewall (net loc dmz). In the local zone there is a print server that has print queues for printers (connect to an HP JetDirect box) at a remote site. A shorewall clear lets the printers work. Nothing shows up as being dropped in the logs. My configuration files follow the example files provided in the three interface example. Included below is my rules file. I am at a loss why printing is not working because nothing shows in the logs as being dropped or rejected. I have tried opened ports tcp 9100:9102 and also DNAT''ed those ports to the print server (which is what my rules say now). Any hints on how to troubleshoot this? Here is my rules file: ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # # Connections to Firewall itself # SSH/ACCEPT loc $FW SSH/ACCEPT net $FW # FTP Connections from remote sites FTP/ACCEPT net $FW # Samba Filesharing SMB/ACCEPT loc $FW SMB/ACCEPT $FW loc DNS/ACCEPT $FW loc DNS/ACCEPT loc $FW SSH/ACCEPT loc dmz # # DNAT Rules # DNAT net loc:192.168.60.10 tcp 9100:9102 DNAT net dmz:192.168.12.5 tcp 80,443 MSExchange/DNAT net loc:192.168.60.11 DNAT net loc:192.168.60.15 tcp 16705 # pixis # # Remote Managment Ports # ACCEPT loc all tcp 5800:5899,5900:5999 # VNC PCA/DNAT net loc:192.168.60.15 # PCAnywhere ports PCA/DNAT net loc:192.168.60.16 # PCAnywhere PCA/DNAT net loc:192.168.60.129 # # DMZ Connections # DNS/ACCEPT net dmz Web/ACCEPT net dmz Web/ACCEPT dmz loc ACCEPT dmz loc tcp 1494 # # Local Connections # ACCEPT net loc tcp 52314 # Quest Ports ACCEPT net loc tcp 52316 # Quest Ports ACCEPT net loc tcp 2546 # ??? Forgot ACCEPT loc dmz tcp 80,443 # # PING Managment Section # # Reject Ping from the "bad" net zone. Ping/REJECT net $FW # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # Ping/ACCEPT loc $FW Ping/ACCEPT dmz $FW Ping/ACCEPT loc dmz Ping/ACCEPT dmz loc Ping/ACCEPT dmz net ACCEPT $FW net icmp ACCEPT $FW loc icmp ACCEPT $FW dmz icmp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
this line:
DNAT net loc:192.168.60.10 tcp 9100:9102
looks ok, but god knows, where is mistake.
Backup your current configuration and try simple configuration.
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,blacklist
loc eth1 detect
dmz eth2 detect
/etc/shorewall/zones
#ZONE
net
loc
dmz
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
all all REJECT info
/etc/shorewall/rules
DNAT net loc:192.168.60.10 tcp 9100
I`m not sure, if nothing is missing (check documentation), but idea is
to make it simple and try to find mistake.
Try also tool nmap http://www.insecure.org/nmap/index.html from net zone
to check if port 9100 is responding:
#nmap -P0 your_ip -p 9100
Good luck
Dexter
On Mon, 2006-01-30 at 10:20 -0700, Andrew Niemantsverdriet
wrote:> I am trying to print to a remote printer.
>
> The setup is a follows:
> A typical 3 interface firewall (net loc dmz). In the local zone there is
> a print server that has print queues for printers (connect to an HP
> JetDirect box) at a remote site. A shorewall clear lets the printers
> work.
>
> Nothing shows up as being dropped in the logs. My configuration files
> follow the example files provided in the three interface example.
> Included below is my rules file.
>
> I am at a loss why printing is not working because nothing shows in the
> logs as being dropped or rejected. I have tried opened ports tcp
> 9100:9102 and also DNAT''ed those ports to the print server (which
is
> what my rules say now). Any hints on how to troubleshoot this?
>
> Here is my rules file:
>
>
#############################################################################################################
> #ACTION SOURCE DEST PROTO DEST SOURCE
> ORIGINAL RATE USER/
> # PORT PORT(S)
> DEST LIMIT GROUP
> #
> # Connections to Firewall itself
> #
> SSH/ACCEPT loc $FW
> SSH/ACCEPT net $FW
> # FTP Connections from remote sites
> FTP/ACCEPT net $FW
> # Samba Filesharing
> SMB/ACCEPT loc $FW
> SMB/ACCEPT $FW loc
> DNS/ACCEPT $FW loc
> DNS/ACCEPT loc $FW
> SSH/ACCEPT loc dmz
> #
> # DNAT Rules
> #
> DNAT net loc:192.168.60.10 tcp
> 9100:9102
> DNAT net dmz:192.168.12.5 tcp 80,443
> MSExchange/DNAT net loc:192.168.60.11
> DNAT net loc:192.168.60.15 tcp 16705 #
> pixis
> #
> # Remote Managment Ports
> #
> ACCEPT loc all tcp 5800:5899,5900:5999 #
> VNC
> PCA/DNAT net loc:192.168.60.15 # PCAnywhere
> ports
> PCA/DNAT net loc:192.168.60.16 # PCAnywhere
> PCA/DNAT net loc:192.168.60.129
> #
> # DMZ Connections
> #
> DNS/ACCEPT net dmz
> Web/ACCEPT net dmz
> Web/ACCEPT dmz loc
> ACCEPT dmz loc tcp 1494
> #
> # Local Connections
> #
> ACCEPT net loc tcp 52314 # Quest Ports
> ACCEPT net loc tcp 52316 # Quest Ports
> ACCEPT net loc tcp 2546 # ??? Forgot
> ACCEPT loc dmz tcp 80,443
> #
> # PING Managment Section
> #
>
> # Reject Ping from the "bad" net zone.
>
> Ping/REJECT net $FW
> #
> # Make ping work bi-directionally between the dmz, net, Firewall
> and local zone
> # (assumes that the loc-> net policy is ACCEPT).
> #
> Ping/ACCEPT loc $FW
> Ping/ACCEPT dmz $FW
> Ping/ACCEPT loc dmz
> Ping/ACCEPT dmz loc
> Ping/ACCEPT dmz net
>
> ACCEPT $FW net icmp
> ACCEPT $FW loc icmp
> ACCEPT $FW dmz icmp
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Thanks Dexter, After business hours yesterday I moved the print server from behind the firewall to in front of it and tried printing again no shorewall involved. It did not work this time. I called the IT person at the other end and they said they had been playing with their firewall. So I guess mystery solved. The reason it did not work right after I tried that the first time is because I just had an accept rule when it needed to be a DNAT rule. Thanks again, _ /-\ ndrew On Mon, 2006-01-30 at 20:57 +0100, Dexter wrote:> this line: > DNAT net loc:192.168.60.10 tcp 9100:9102 > > looks ok, but god knows, where is mistake. > Backup your current configuration and try simple configuration. > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect norfc1918,blacklist > loc eth1 detect > dmz eth2 detect > > /etc/shorewall/zones > #ZONE > net > loc > dmz > > /etc/shorewall/policy > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > all all REJECT info > > /etc/shorewall/rules > DNAT net loc:192.168.60.10 tcp 9100 > > I`m not sure, if nothing is missing (check documentation), but idea is > to make it simple and try to find mistake. > > Try also tool nmap http://www.insecure.org/nmap/index.html from net zone > to check if port 9100 is responding: > #nmap -P0 your_ip -p 9100 > > Good luck > Dexter > > On Mon, 2006-01-30 at 10:20 -0700, Andrew Niemantsverdriet wrote: > > I am trying to print to a remote printer. > > > > The setup is a follows: > > A typical 3 interface firewall (net loc dmz). In the local zone there is > > a print server that has print queues for printers (connect to an HP > > JetDirect box) at a remote site. A shorewall clear lets the printers > > work. > > > > Nothing shows up as being dropped in the logs. My configuration files > > follow the example files provided in the three interface example. > > Included below is my rules file. > > > > I am at a loss why printing is not working because nothing shows in the > > logs as being dropped or rejected. I have tried opened ports tcp > > 9100:9102 and also DNAT''ed those ports to the print server (which is > > what my rules say now). Any hints on how to troubleshoot this? > > > > Here is my rules file: > > > > ############################################################################################################# > > #ACTION SOURCE DEST PROTO DEST SOURCE > > ORIGINAL RATE USER/ > > # PORT PORT(S) > > DEST LIMIT GROUP > > # > > # Connections to Firewall itself > > # > > SSH/ACCEPT loc $FW > > SSH/ACCEPT net $FW > > # FTP Connections from remote sites > > FTP/ACCEPT net $FW > > # Samba Filesharing > > SMB/ACCEPT loc $FW > > SMB/ACCEPT $FW loc > > DNS/ACCEPT $FW loc > > DNS/ACCEPT loc $FW > > SSH/ACCEPT loc dmz > > # > > # DNAT Rules > > # > > DNAT net loc:192.168.60.10 tcp > > 9100:9102 > > DNAT net dmz:192.168.12.5 tcp 80,443 > > MSExchange/DNAT net loc:192.168.60.11 > > DNAT net loc:192.168.60.15 tcp 16705 # > > pixis > > # > > # Remote Managment Ports > > # > > ACCEPT loc all tcp 5800:5899,5900:5999 # > > VNC > > PCA/DNAT net loc:192.168.60.15 # PCAnywhere > > ports > > PCA/DNAT net loc:192.168.60.16 # PCAnywhere > > PCA/DNAT net loc:192.168.60.129 > > # > > # DMZ Connections > > # > > DNS/ACCEPT net dmz > > Web/ACCEPT net dmz > > Web/ACCEPT dmz loc > > ACCEPT dmz loc tcp 1494 > > # > > # Local Connections > > # > > ACCEPT net loc tcp 52314 # Quest Ports > > ACCEPT net loc tcp 52316 # Quest Ports > > ACCEPT net loc tcp 2546 # ??? Forgot > > ACCEPT loc dmz tcp 80,443 > > # > > # PING Managment Section > > # > > > > # Reject Ping from the "bad" net zone. > > > > Ping/REJECT net $FW > > # > > # Make ping work bi-directionally between the dmz, net, Firewall > > and local zone > > # (assumes that the loc-> net policy is ACCEPT). > > # > > Ping/ACCEPT loc $FW > > Ping/ACCEPT dmz $FW > > Ping/ACCEPT loc dmz > > Ping/ACCEPT dmz loc > > Ping/ACCEPT dmz net > > > > ACCEPT $FW net icmp > > ACCEPT $FW loc icmp > > ACCEPT $FW dmz icmp > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > > for problems? Stop! Download the new AJAX search engine that makes > > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642