From: Keith Mitchell Sent: Wednesday, June 21, 2006 4:16 PM To: ''Shorewall Users'' Subject: One-to-One NAT keeps collapsing All- I have a niggling, randomly re-occurring problem where one of my one-to-one NAT''s "collapses". The scenario is as follows: One-to-one NAT configured via shorewall''s NAT file; 208.4.145.68 eth1:2 192.168.1.169 no no I have a series of ports allowed through this one-to-one NAT via the rules file; ACCEPT net loc:192.168.1.169 tcp 80 ACCEPT net loc:192.168.1.169 tcp 143 ACCEPT net loc:192.168.1.169 tcp 443 ACCEPT net loc:192.168.1.169 tcp 465 ACCEPT net loc:192.168.1.169 tcp 993 So that folks can check their mail from outside my network. The one-to-one NAT is so that I can assign a DNS name to the external interface so they can type that into their browsers, mail clients, etc. I have port 80 already DNAT''d on the primary external interface to another web host, so I can''t re-use it for NATing in this particular instance. What happens periodically is that the one-to-one NAT stops NATing and the external IP associated with it flips to being associated with the Firewall itself, but with NO FILTERING APPLIED. So basically, 208.4.145.68 goes from one-to-one NAT => 192.168.1.169 with 5 re-directed ports to being a non-NAT''d entirely open interface (including PINGS) associated with the firewall, and allowing open access into all services running on the firewall regardless of whether policy or rules allows those services. Needless to say, this is a bit of a problem. Attached is a shorewall dump from when the firewall is operating "normally" (preproblem.txt.bz2). I also have a 3mb pcap file that I happened to record when the problem "tripped" that I can make available via a weblink, if desired. Anyway, any suggestions about what to look at for what is causing this problem, or what I''ve been doing wrong? Per a past e-mail, I tried changing to a DNAT model from the one-to-one NAT setup above. I had to switch back because the problem was much harder to reverse under DNAT than one-to-one NAT. Under one-to-one NAT, a "shorewall restart" resolves the issue. Under DNAT I had to down and re-up the virtual interface, shorewall stop; shorewall clear; shorewall start to resolve the issue. As I have multiple road warriors using openvpn to connect into my network and multiple IPSEC tunnels between my office, co-lo, and client sites that just wasn''t working for me. Any suggestions? Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642