I am having a problem connecting outbound from my DMZ to FTP I am running shorewall ver 3.2.2 I can connect to FTP from my loc zone (192.168.0.X), but when I try from the DMZ (192.168.1.X) it times out Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 Have the following rule: FTP/ACCEPT dmz net have also attached the output from shorewall dump Thanks in advance. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
steve escribió:> I am having a problem connecting outbound from my DMZ to FTP > I am running shorewall ver 3.2.2 > I can connect to FTP from my loc zone (192.168.0.X), but when I try from > the DMZ (192.168.1.X) it times out > > Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > > Have the following rule: > FTP/ACCEPT dmz net > > have also attached the output from shorewall dump >check http://www.shorewall.net/FTP.html example 4. especially if you see the message .gateway "conntrack_ftp: partial PORT 715014972+1"...or similar. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> steve escribió: > > I am having a problem connecting outbound from my DMZ to FTP > > I am running shorewall ver 3.2.2 > > I can connect to FTP from my loc zone (192.168.0.X), but when I try from > > the DMZ (192.168.1.X) it times out > > > > Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > > > > Have the following rule: > > FTP/ACCEPT dmz net > > > > have also attached the output from shorewall dump > > > > check > > http://www.shorewall.net/FTP.html example 4. > > especially if you see the message .gateway "conntrack_ftp: partial PORT > 715014972+1"...or similar. >I tries adding: ACCEPT:info dmz net tcp - 20 but it didn''t seem to make any difference. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
steve wrote:> I am having a problem connecting outbound from my DMZ to FTP > I am running shorewall ver 3.2.2 > I can connect to FTP from my loc zone (192.168.0.X), but when I try from > the DMZ (192.168.1.X) it times out > > Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > > Have the following rule: > FTP/ACCEPT dmz net > > have also attached the output from shorewall dump >You are not masquerading your DMZ -- you won''t be able to make *any* connections from the DMZ to the net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> steve wrote: > > I am having a problem connecting outbound from my DMZ to FTP > > I am running shorewall ver 3.2.2 > > I can connect to FTP from my loc zone (192.168.0.X), but when I try from > > the DMZ (192.168.1.X) it times out > > > > Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > > > > Have the following rule: > > FTP/ACCEPT dmz net > > > > have also attached the output from shorewall dump > > > > You are not masquerading your DMZ -- you won''t be able to make *any* > connections from the DMZ to the net. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >Tom - please excuse my ignorance, but do I need to "DNAT" FTP also this is my current DNAT rule DNAT net dmz:192.168.1.10 tcp http,https,smtp,83 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
steve wrote:>> steve wrote: >>> I am having a problem connecting outbound from my DMZ to FTP >>> I am running shorewall ver 3.2.2 >>> I can connect to FTP from my loc zone (192.168.0.X), but when I try from >>> the DMZ (192.168.1.X) it times out >>> >>> Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 >>> >>> Have the following rule: >>> FTP/ACCEPT dmz net >>> >>> have also attached the output from shorewall dump >>> >> You are not masquerading your DMZ -- you won''t be able to make *any* >> connections from the DMZ to the net. >> >> -Tom >> -- >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >> Shoreline, \ http://shorewall.net >> Washington USA \ teastep@shorewall.net >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >> > Tom - please excuse my ignorance, but do I need to "DNAT" FTP also > this is my current DNAT rule > DNAT net dmz:192.168.1.10 tcp http,https,smtp,83You really should be following http://www.shorewall.net/three-interface.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> steve wrote: > >> steve wrote: > >>> I am having a problem connecting outbound from my DMZ to FTP > >>> I am running shorewall ver 3.2.2 > >>> I can connect to FTP from my loc zone (192.168.0.X), but when I try from > >>> the DMZ (192.168.1.X) it times out > >>> > >>> Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > >>> > >>> Have the following rule: > >>> FTP/ACCEPT dmz net > >>> > >>> have also attached the output from shorewall dump > >>> > >> You are not masquerading your DMZ -- you won''t be able to make *any* > >> connections from the DMZ to the net. > >> > >> -Tom > >> -- > >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > >> Shoreline, \ http://shorewall.net > >> Washington USA \ teastep@shorewall.net > >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >> > > Tom - please excuse my ignorance, but do I need to "DNAT" FTP also > > this is my current DNAT rule > > DNAT net dmz:192.168.1.10 tcp http,https,smtp,83 > > You really should be following http://www.shorewall.net/three-interface.htm > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >As far as I can tell, I have. Are you saying that I should have my DNAT rules similar to your example from that page: Web/DNAT net dmz:10.10.11.2 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> steve wrote: > >> steve wrote: > >>> I am having a problem connecting outbound from my DMZ to FTP > >>> I am running shorewall ver 3.2.2 > >>> I can connect to FTP from my loc zone (192.168.0.X), but when I try from > >>> the DMZ (192.168.1.X) it times out > >>> > >>> Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > >>> > >>> Have the following rule: > >>> FTP/ACCEPT dmz net > >>> > >>> have also attached the output from shorewall dump > >>> > >> You are not masquerading your DMZ -- you won''t be able to make *any* > >> connections from the DMZ to the net. > >> > >> -Tom > >> -- > >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > >> Shoreline, \ http://shorewall.net > >> Washington USA \ teastep@shorewall.net > >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >> > > Tom - please excuse my ignorance, but do I need to "DNAT" FTP also > > this is my current DNAT rule > > DNAT net dmz:192.168.1.10 tcp http,https,smtp,83 > > You really should be following http://www.shorewall.net/three-interface.htm > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >Here is my complete rule set: SECTION NEW # Accept DNS connections from the firewall to the network # and from the local network to the firewall (in case dnsmasq is DNS/ACCEPT fw net DNS/ACCEPT loc fw DNS/ACCEPT dmz fw # Accept SSH connections from the local network for administrati # SSH/ACCEPT loc fw # Allow Ping to Firewall # Ping/ACCEPT net fw Ping/ACCEPT loc fw Ping/ACCEPT loc dmz Ping/ACCEPT dmz loc Ping/ACCEPT dmz fw Ping/ACCEPT dmz net # # Allow all ICMP types (including ping) from firewall ACCEPT fw loc icmp ACCEPT fw net icmp # # Allow local network to access weblet/webconf # Web/ACCEPT loc fw # # Allow local access to dmz POP3/ACCEPT loc dmz IMAP/ACCEPT loc dmz HTTP/ACCEPT loc dmz HTTPS/ACCEPT loc dmz Webmin/ACCEPT loc dmz SSH/ACCEPT loc dmz ACCEPT loc dmz tcp 81,83 #webconfig,horde # # Allow DMZ to have access DNAT net dmz:192.168.1.10 tcp http,https,83 #web,mail,hord SMTP/ACCEPT dmz net HTTP/ACCEPT dmz net HTTPS/ACCEPT dmz net FTP/ACCEPT dmz net #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I have the 3 zones defined: fw firewall net ipv4 loc ipv4 dmz ipv4 and interfaces: net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dhcp dmz eth2 detect ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I believe Tom want''s you to check your ''masq'' file. You have one entry for your LAN -> NET, but you also need one for you DMZ -> NET /K -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of steve Sent: 3. september 2006 01:34 To: Shorewall Users Subject: Re: [Shorewall-users] FTP problem> steve wrote: > >> steve wrote: > >>> I am having a problem connecting outbound from my DMZ to FTP > >>> I am running shorewall ver 3.2.2 > >>> I can connect to FTP from my loc zone (192.168.0.X), but when I tryfrom> >>> the DMZ (192.168.1.X) it times out > >>> > >>> Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > >>> > >>> Have the following rule: > >>> FTP/ACCEPT dmz net > >>> > >>> have also attached the output from shorewall dump > >>> > >> You are not masquerading your DMZ -- you won''t be able to make *any* > >> connections from the DMZ to the net. > >> > >> -Tom > >> -- > >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > >> Shoreline, \ http://shorewall.net > >> Washington USA \ teastep@shorewall.net > >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >> > > Tom - please excuse my ignorance, but do I need to "DNAT" FTP also > > this is my current DNAT rule > > DNAT net dmz:192.168.1.10 tcp http,https,smtp,83 > > You really should be followinghttp://www.shorewall.net/three-interface.htm> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >Here is my complete rule set: SECTION NEW # Accept DNS connections from the firewall to the network # and from the local network to the firewall (in case dnsmasq is DNS/ACCEPT fw net DNS/ACCEPT loc fw DNS/ACCEPT dmz fw # Accept SSH connections from the local network for administrati # SSH/ACCEPT loc fw # Allow Ping to Firewall # Ping/ACCEPT net fw Ping/ACCEPT loc fw Ping/ACCEPT loc dmz Ping/ACCEPT dmz loc Ping/ACCEPT dmz fw Ping/ACCEPT dmz net # # Allow all ICMP types (including ping) from firewall ACCEPT fw loc icmp ACCEPT fw net icmp # # Allow local network to access weblet/webconf # Web/ACCEPT loc fw # # Allow local access to dmz POP3/ACCEPT loc dmz IMAP/ACCEPT loc dmz HTTP/ACCEPT loc dmz HTTPS/ACCEPT loc dmz Webmin/ACCEPT loc dmz SSH/ACCEPT loc dmz ACCEPT loc dmz tcp 81,83 #webconfig,horde # # Allow DMZ to have access DNAT net dmz:192.168.1.10 tcp http,https,83 #web,mail,hord SMTP/ACCEPT dmz net HTTP/ACCEPT dmz net HTTPS/ACCEPT dmz net FTP/ACCEPT dmz net #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I have the 3 zones defined: fw firewall net ipv4 loc ipv4 dmz ipv4 and interfaces: net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dhcp dmz eth2 detect ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> I believe Tom want''s you to check your ''masq'' file. > You have one entry for your LAN -> NET, but you also need one for you DMZ -> > NET >That was it. THe confusing part was when I went to http://www.shorewall.net/three-interface.htm, underIP Masquerading (SNAT), it says: "If your external firewall interface is eth0, your local interface eth1 and your DMZ interface is eth2 then you do not need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq and change it to match your configuration." my /etc/shorewall/masq file required my entereing the eth0 eth2 entry.> /K > > -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of steve > Sent: 3. september 2006 01:34 > To: Shorewall Users > Subject: Re: [Shorewall-users] FTP problem > > > steve wrote: > > >> steve wrote: > > >>> I am having a problem connecting outbound from my DMZ to FTP > > >>> I am running shorewall ver 3.2.2 > > >>> I can connect to FTP from my loc zone (192.168.0.X), but when I try > from > > >>> the DMZ (192.168.1.X) it times out > > >>> > > >>> Was trying to connect from 192.168.1.10 to ftp site 67.19.9.164 > > >>> > > >>> Have the following rule: > > >>> FTP/ACCEPT dmz net > > >>> > > >>> have also attached the output from shorewall dump > > >>> > > >> You are not masquerading your DMZ -- you won''t be able to make *any* > > >> connections from the DMZ to the net. > > >> > > >> -Tom > > >> -- > > >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > >> Shoreline, \ http://shorewall.net > > >> Washington USA \ teastep@shorewall.net > > >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >> > > > Tom - please excuse my ignorance, but do I need to "DNAT" FTP also > > > this is my current DNAT rule > > > DNAT net dmz:192.168.1.10 tcp http,https,smtp,83 > > > > You really should be following > http://www.shorewall.net/three-interface.htm > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > Here is my complete rule set: > SECTION NEW > # Accept DNS connections from the firewall to the network > # and from the local network to the firewall (in case dnsmasq is > DNS/ACCEPT fw net > DNS/ACCEPT loc fw > DNS/ACCEPT dmz fw > > # Accept SSH connections from the local network for administrati > # > SSH/ACCEPT loc fw > > # Allow Ping to Firewall > # > Ping/ACCEPT net fw > Ping/ACCEPT loc fw > Ping/ACCEPT loc dmz > Ping/ACCEPT dmz loc > Ping/ACCEPT dmz fw > Ping/ACCEPT dmz net > # > # Allow all ICMP types (including ping) from firewall > ACCEPT fw loc icmp > ACCEPT fw net icmp > # > # Allow local network to access weblet/webconf > # > Web/ACCEPT loc fw > # > # Allow local access to dmz > POP3/ACCEPT loc dmz > IMAP/ACCEPT loc dmz > HTTP/ACCEPT loc dmz > HTTPS/ACCEPT loc dmz > Webmin/ACCEPT loc dmz > SSH/ACCEPT loc dmz > ACCEPT loc dmz tcp 81,83 #webconfig,horde > # > # Allow DMZ to have access > DNAT net dmz:192.168.1.10 tcp http,https,83 #web,mail,hord > SMTP/ACCEPT dmz net > HTTP/ACCEPT dmz net > HTTPS/ACCEPT dmz net > FTP/ACCEPT dmz net > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > I have the 3 zones defined: > fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > > and interfaces: > net eth0 detect dhcp,routefilter,norfc1918 > loc eth1 detect dhcp > dmz eth2 detect > > > -------------------------------------------------------------------------------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
steve wrote:>> I believe Tom want''s you to check your ''masq'' file. >> You have one entry for your LAN -> NET, but you also need one for you DMZ -> >> NET >> > That was it. > > THe confusing part was when I went to http://www.shorewall.net/three-interface.htm, > underIP Masquerading (SNAT), it says: > "If your external firewall interface is eth0, your local interface eth1 > and your DMZ interface is eth2 then you do not need to modify the file > provided with the sample. Otherwise, edit /etc/shorewall/masq and change > it to match your configuration." > my /etc/shorewall/masq file required my entereing the eth0 eth2 > entry. >Then you were not using the three-interface sample configuration from shorewall.net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642