Hello, I have following problem: I have linux machine(fedora core 4) in my network. This machine runs several daemons (sendmail, apache, ssh, ...) When I try to connect(telnet 172.16.26.2 25) to this machine from my firewall (debian sarge, shorewall 3.0.5) connection is refused. I set tcpdump to listen on both linux machine and my firewall and no traffic from my firewall occurs on both interfaces. The only thing I´m able to achieve is to ping linux machine from my firewall. When I try to connect to linux machine from any other station in my lan the connection is accepted. There is no firewall running on target machine. Another problem is that when I try to tracerout target linux machine from my firewall I receive this: gate:/etc/shorewall# traceroute 172.16.26.2 traceroute to 172.16.26.2 (172.16.26.2), 30 hops max, 38 byte packets traceroute: sendto: Operation not permitted 1 traceroute: wrote 172.16.26.2 38 chars, ret=-1 honza (172.16.0.1) 0.944 mstraceroute: sendto: Operation not permitted traceroute: wrote 172.16.26.2 38 chars, ret=-1 0.623 mstraceroute: sendto: Operation not permitted traceroute: wrote 172.16.26.2 38 chars, ret=-1 0.460 ms Thanks for help. Jiri
Jiří Červenka wrote:> Hello, > I have following problem: > I have linux machine(fedora core 4) in my network. This machine runs > several daemons (sendmail, apache, ssh, ...) When I try to > connect(telnet 172.16.26.2 25) to this machine from my firewall (debian > sarge, shorewall 3.0.5) connection is refused. I set tcpdump to listen > on both linux machine and my firewall and no traffic from my firewall > occurs on both interfaces.The only thing I´m able to achieve is to ping> linux machine from my firewall. When I try to connect to linux machine > from any other station in my lan the connection is accepted. There is no > firewall running on target machine. > Another problem is that when I try to tracerout target linux machine > from my firewall I receive this: > > gate:/etc/shorewall# traceroute 172.16.26.2 > traceroute to 172.16.26.2 (172.16.26.2), 30 hops max, 38 byte packets > traceroute: sendto: Operation not permitted > 1 traceroute: wrote 172.16.26.2 38 chars, ret=-1 > honza (172.16.0.1) 0.944 mstraceroute: sendto: Operation not permitted > traceroute: wrote 172.16.26.2 38 chars, ret=-1 > 0.623 mstraceroute: sendto: Operation not permitted > traceroute: wrote 172.16.26.2 38 chars, ret=-1 > 0.460 ms >I don''t know how you expect to ever debug anything on your lan when you are not logging packets rejected under the all->all policy. Be that as it may, *look at your rules*! a) For port 25, here are the only two ACCEPT rules for fw->loc: 14 840 ACCEPT tcp -- * * 0.0.0.0/0 172.16.0.2 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 195.113.101.219 tcp dpt:25 So you are only accepting SMTP from the firewall to those two hosts. b) You are not accepting traceroute at all from fw->loc so it''s unsurprising that it doesn''t work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Jiří I know that Tom and some of the other people on this list can see everything from a shorewall dump, but I am not as smart as that. So please, if you will send me your shorewall configuration files, I'll try to figure out what your problem is. Rune On 5/11/06, Jiří Červenka <cervenka@sps-pi.cz> wrote:> Hello, > I have following problem: > I have linux machine(fedora core 4) in my network. This machine runs > several daemons (sendmail, apache, ssh, ...) When I try to > connect(telnet 172.16.26.2 25) to this machine from my firewall (debian > sarge, shorewall 3.0.5) connection is refused. I set tcpdump to listen > on both linux machine and my firewall and no traffic from my firewall > occurs on both interfaces. The only thing I´m able to achieve is to ping > linux machine from my firewall. When I try to connect to linux machine > from any other station in my lan the connection is accepted. There is no > firewall running on target machine. > Another problem is that when I try to tracerout target linux machine > from my firewall I receive this: > > gate:/etc/shorewall# traceroute 172.16.26.2 > traceroute to 172.16.26.2 (172.16.26.2), 30 hops max, 38 byte packets > traceroute: sendto: Operation not permitted > 1 traceroute: wrote 172.16.26.2 38 chars, ret=-1 > honza (172.16.0.1) 0.944 mstraceroute: sendto: Operation not permitted > traceroute: wrote 172.16.26.2 38 chars, ret=-1 > 0.623 mstraceroute: sendto: Operation not permitted > traceroute: wrote 172.16.26.2 38 chars, ret=-1 > 0.460 ms > > Thanks for help. > > Jiri > > >Rȧ:&qŤ[şŮŢyŰhv¨ă^yŰh˛ęi˘ťpyťŽřzËręâˇ!śËn}÷hęŽÉ%ËŢ{^śyŰ^rč2śě¨ş¸čmćŹęĂŁ 奧HĹm*azˇŚbqŤb˘tŽ÷Ťż]5mŤvŔĽ§!xgŤ˘xŚ˘m§˙ězVŹşÇÚF ëąé\