Shorewall users - Mar 2007 - ETH0_IP=`find_first_interface_address eth0`

I''m running version 3.2.6 on a debian system.

And ETH0_IP=find_first_interface_address eth0
is not recognized.
What did i wrong ?
best regards
mess-mate                               
-- 

You''re currently going through a difficult transition period called
"Life."


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> I''m running version 3.2.6 on a debian system.
> 
> And ETH0_IP=find_first_interface_address eth0
> is not recognized.
> What did i wrong ?
> best regards
> mess-mate                               
That should be ETH0_IP=`find_first_interface_address eth0`

Jerry

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Jerry Vonau <jvonau@shaw.ca> wrote:
| mess-mate wrote:
| > I''m running version 3.2.6 on a debian system.
| > 
| > And ETH0_IP=find_first_interface_address eth0
| > is not recognized.
| > What did i wrong ?
| > best regards
| > mess-mate                               
| 
| That should be ETH0_IP=`find_first_interface_address eth0`
| 
Sorry, forgot to copy the ` 
they are there of course.
So ''command not find'' is still there.

mess-mate                               
-- 

Write yourself a threatening letter and pen a defiant reply.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Jerry Vonau <jvonau@shaw.ca> wrote:
> | mess-mate wrote:
> | > I''m running version 3.2.6 on a debian system.
> | > 
> | > And ETH0_IP=find_first_interface_address eth0
> | > is not recognized.
> | > What did i wrong ?
> | > best regards
> | > mess-mate                               
> | 
> | That should be ETH0_IP=`find_first_interface_address eth0`
> | 
> Sorry, forgot to copy the ` 
> they are there of course.
> So ''command not find'' is still there.
> 
That is a bit strange... Think you''ll have to send in a trace as
outlined at: http://www.shorewall.net/support.htm.

Jerry

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Jerry Vonau <jvonau@shaw.ca> wrote:
| mess-mate wrote:
| > Jerry Vonau <jvonau@shaw.ca> wrote:
| > | mess-mate wrote:
| > | > I''m running version 3.2.6 on a debian system.
| > | > 
| > | > And ETH0_IP=find_first_interface_address eth0
| > | > is not recognized.
| > | > What did i wrong ?
| > | > best regards
| > | > mess-mate                               
| > | 
| > | That should be ETH0_IP=`find_first_interface_address eth0`
| > | 
| > Sorry, forgot to copy the ` 
| > they are there of course.
| > So ''command not find'' is still there.
| > 
| 
| That is a bit strange... Think you''ll have to send in a trace as
| outlined at: http://www.shorewall.net/support.htm.
| 
There is nothing more than a ''command not find'' when starting
shorewall.
That''s clear i think. That command couldn''t be found.
I''ve added ''functions'' to /usr/local/bin, a general
dir of my
system, but nothing help. 
That command stays in ''functions'' so what happen exactly ?
Of course ''functions'' is executable.

mess-mate                               
-- 

You look like a million dollars.  All green and wrinkled.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Jerry Vonau <jvonau@shaw.ca> wrote:
> | mess-mate wrote:
> | > Jerry Vonau <jvonau@shaw.ca> wrote:
> | > | mess-mate wrote:
> | > | > I''m running version 3.2.6 on a debian system.
> | > | > 
> | > | > And ETH0_IP=find_first_interface_address eth0
> | > | > is not recognized.
> | > | > What did i wrong ?
> | > | > best regards
> | > | > mess-mate                               
> | > | 
> | > | That should be ETH0_IP=`find_first_interface_address eth0`
> | > | 
> | > Sorry, forgot to copy the ` 
> | > they are there of course.
> | > So ''command not find'' is still there.
> | > 
> | 
> | That is a bit strange... Think you''ll have to send in a trace as
> | outlined at: http://www.shorewall.net/support.htm.
> | 
> There is nothing more than a ''command not find'' when
starting
> shorewall.
> That''s clear i think. That command couldn''t be found.
No, it is not clear... The find_first_interface_address function uses
some external programs, ip, grep, head. In the shorewall.conf file you
can set a path. From where I am, I can''t tell if the binaries are not
install, or on a different path from what is set in the shorewall.conf
file. That is why I suggested a trace, it could be a number of different
things.
> I''ve added ''functions'' to /usr/local/bin, a
general dir of my
> system, but nothing help.
That shouldn''t be needed.
> That command stays in ''functions'' so what happen exactly
?
> Of course ''functions'' is executable.
I''d check the path setting in the shorewall.conf, then where ip, grep,
and head are installed. If those look OK to you and a start fails, send
in a trace please.

Jerry











-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> There is nothing more than a ''command not find'' when
starting
> shorewall.
> That''s clear i think. That command couldn''t be found.
> I''ve added ''functions'' to /usr/local/bin, a
general dir of my
> system, but nothing help. 
> That command stays in ''functions'' so what happen exactly
?
> Of course ''functions'' is executable.
> 
Out of the thousands of Shorewall sites around the world, this problem is
apparently only happening at yours. You''ve been asked to submit a trace
so
that we can understand what is happening and help you find a solution; but
you have ignored those requests (which are also repeated on the Shorewall
Support site -- http://www.shorewall.net/support.htm#Guidelines).

The function in question is loaded when the ''functions''
library is loaded so
there is no reason on a 3.2.6 distribution that it shouldn''t be there
by the
time that your params and init file are run (which is where I presume that
you are calling the function). So until we see a trace, we can''t help
you
and continuing questions and statements from you won''t get us any
closer to
resolving this issue.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Jerry Vonau <jvonau@shaw.ca> wrote:
| mess-mate wrote:
| > Jerry Vonau <jvonau@shaw.ca> wrote:

Thanks Jerry and Tom for the help (i''m a newbie about shorewall and
have to look closer the docs :(  )

Checked the trace file and finded ''eth0'' must be
''ppp0''.
Changed the parms to ETH0_IP=find_first_interface_address ppp0'' and
the ''command not found'' disappears.

But can''t login to our website http://www.laplaceverte.fr from a
desktop within the lan.
( I can of course as http://192.168.20.1)

Here is the trace file.

mess-mate                               
-- 

Your object is to save the world, while still leading a pleasant life.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| 
 So until we see a trace, we can''t help you

Trace is N°3/3 attached 


mess-mate                               
-- 

It is right that he too should have his little chronicle, his memories,
his reason, and be able to recognize the good in the bad, the bad in the
worst, and so grow gently old all down the unchanging days and die one
day like any other day, only shorter.
		-- Samuel Beckett, "Malone Dies"


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | mess-mate wrote:
> | 
>  So until we see a trace, we can''t help you
> 
> Trace is N°3/3 attached 
This trace contains no ''command not found'' (it seems to begin
midway
through module loading rather at the beginning of the command). Both
calls to find_first_interface_address visible in the trace succeeded.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| > Tom Eastep <teastep@shorewall.net> wrote:
| > | mess-mate wrote:
| > | 
| >  So until we see a trace, we can''t help you
| > 
| > Trace is N°3/3 attached 
| 
| This trace contains no ''command not found'' (it seems to
begin midway
| through module loading rather at the beginning of the command). Both
| calls to find_first_interface_address visible in the trace succeeded.
| 
| -Tom
| -- 
Did you read my email with aax.bz2 attached ?
I said there has changed eth0 to ppp0 and the ''command not
found''
disappears.

But the purpose of that command is to get the website on the server
on the lan from a lan desktop via internet, is it ?

If it is, it do not work here. ''Connection refused'' but anyone
can
acces the site from outside. Not from inside the lan as
http://www.mysite.com.


mess-mate                               
-- 

Unless hours were cups of sack, and minutes capons, and clocks the tongues
of bawds, and dials the signs of leaping houses, and the blessed sun himself
a fair, hot wench in flame-colored taffeta, I see no reason why thou shouldst
be so superfluous to demand the time of the day.  I wasted time and now doth
time waste me.
		-- William Shakespeare


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | mess-mate wrote:
> | > Tom Eastep <teastep@shorewall.net> wrote:
> | > | mess-mate wrote:
> | > | 
> | >  So until we see a trace, we can''t help you
> | > 
> | > Trace is N°3/3 attached 
> | 
> | This trace contains no ''command not found'' (it seems to
begin midway
> | through module loading rather at the beginning of the command). Both
> | calls to find_first_interface_address visible in the trace succeeded.
> | 
> | -Tom
> | -- 
> Did you read my email with aax.bz2 attached ?
I just received that trace -- it contains no ''command not
found'' error
either.
> I said there has changed eth0 to ppp0 and the ''command not
found''
> disappears.
> 
> But the purpose of that command is to get the website on the server
> on the lan from a lan desktop via internet, is it ?
Can someone translate the above sentence for me? I suspect that it is
saying that the poster is trying to use the tip from Shorewall FAQ 1d.
> 
> If it is, it do not work here. ''Connection refused'' but
anyone can
> acces the site from outside. Not from inside the lan as
> http://www.mysite.com.
Definitely sounds like Shorewall faq 1d. What I really suspect is that
the error message is not ''command not found'' but rather than
find_first_interface_address is failing when passed ''eth0. But who
knows....

mess-mate -- if you send another trace, please insure that it contains
the error message your are complaining about. And please show us the
output of "ip addr ls" as well.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> 
> But can''t login to our website http://www.laplaceverte.fr from a
> desktop within the lan.
> ( I can of course as http://192.168.20.1)
>
We can''t help without knowing anything about your configuration. If you
collect "shorewall dump" as described at
http://www.shorewall.net/support.htm#Guidelines, we can try to help.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| > Tom Eastep <teastep@shorewall.net> wrote:
| > Did you read my email with aax.bz2 attached ?
| 
| I just received that trace -- it contains no ''command not
found'' error
| either.
| 
| > I said there has changed eth0 to ppp0 and the ''command not
found''
| > disappears.
| > 
| > But the purpose of that command is to get the website on the server
| > on the lan from a lan desktop via internet, is it ?
| 
| Can someone translate the above sentence for me? I suspect that it is
| saying that the poster is trying to use the tip from Shorewall FAQ 1d.
| 
| Definitely sounds like Shorewall faq 1d. What I really suspect is that
| the error message is not ''command not found'' but rather than
| find_first_interface_address is failing when passed ''eth0. But who
knows....
| 
| mess-mate -- if you send another trace, please insure that it contains
| the error message your are complaining about. And please show us the
| output of "ip addr ls" as well.
| 
Ok, you''re right, i followed the tip from FAQ 1d.
But hace changed now ''eth0'' to ''ppp0''.
Attached ip-addr.txt and statux.txt

mess-mate                               
-- 

Generosity and perfection are your everlasting goals.



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | mess-mate wrote:
> | > Tom Eastep <teastep@shorewall.net> wrote:
> | > Did you read my email with aax.bz2 attached ?
> | 
> | I just received that trace -- it contains no ''command not
found'' error
> | either.
> | 
> | > I said there has changed eth0 to ppp0 and the ''command not
found''
> | > disappears.
> | > 
> | > But the purpose of that command is to get the website on the server
> | > on the lan from a lan desktop via internet, is it ?
> | 
> | Can someone translate the above sentence for me? I suspect that it is
> | saying that the poster is trying to use the tip from Shorewall FAQ 1d.
> | 
> | Definitely sounds like Shorewall faq 1d. What I really suspect is that
> | the error message is not ''command not found'' but rather
than
> | find_first_interface_address is failing when passed ''eth0. But
who knows....
> | 
> | mess-mate -- if you send another trace, please insure that it contains
> | the error message your are complaining about. And please show us the
> | output of "ip addr ls" as well.
> | 
> Ok, you''re right, i followed the tip from FAQ 1d.
> But hace changed now ''eth0'' to ''ppp0''.
That was the right thing to do -- ppp0 is your router''s external
interface
(I assume that you connect via PPPoE or something similar).
> Attached ip-addr.txt and statux.txt
> 
Ok -- it looks like you have configured DNAT so that hosts in your local
network (connected to eth1) will have TCP connections to 86.192.32.248:80
redirected to 192.168.20.1 (which is in your DMZ connected to eth2). But in
the day and a half since you last [re]started Shorewall, not even one TCP
connection to 86.192.32.248:80 has arrived on eth1!

How are you trying to test this? You can''t test in from the router
itself --
you must test from a system behind the router that has it''s default
gateway
configured with IP address 192.168.10.254.

And start by trying to browse http://86.192.32.248/ rather than by DNS name.
> Shorewall-3.2.6 Dump at router - Mon Mar 26 11:00:29 CEST 2007
> Counters reset Sat Mar 24 17:15:49 CET 2007
> Chain loc2dmz (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 ACCEPT     0    --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:22
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0           icmp type 8
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.20.1        tcp dpt:80 ctorigdst 86.192.32.248
When you try to browse http://86.192.32.248/, you should see the
''pkts'' and
''bytes'' counts above incrementing.
>     0     0 ACCEPT     0    --  *      *       0.0.0.0/0           
0.0.0.0/0
> 
> NAT Table
> 
> Chain PREROUTING (policy ACCEPT 117K packets, 33M bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>  1922  280K net_dnat   0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
>  115K   32M loc_dnat   0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
> Chain loc_dnat (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
86.192.32.248       tcp dpt:80 to:192.168.20.1
When you try to browse http://86.192.32.248/, you should see the
''pkts'' and
''bytes'' counts above incrementing.
>    24  1440 REDIRECT   tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:80 redir ports 3128
> 6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc
pfifo_fast qlen 3
>     link/ppp 
>     inet 86.192.32.248 peer 193.253.160.3/32 scope global ppp0
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
...snip... 
| Ok -- it looks like you have configured DNAT so that hosts in your local
| network (connected to eth1) will have TCP connections to 86.192.32.248:80
| redirected to 192.168.20.1 (which is in your DMZ connected to eth2). But in
| the day and a half since you last [re]started Shorewall, not even one TCP
| connection to 86.192.32.248:80 has arrived on eth1!

Uhh..you mean eth2 ? ( dmz on eth2)

| How are you trying to test this? You can''t test in from the router
itself --
| you must test from a system behind the router that has it''s default
gateway
| configured with IP address 192.168.10.254.
| 
| And start by trying to browse http://86.192.32.248/ rather than by DNS name.

Trying both http://86.192.32.248 and http://www.mywebsite.fr from a
desktop behind the firewall/router give me ''Connection to
86.192.32.248 Failed''

| > Shorewall-3.2.6 Dump at router - Mon Mar 26 11:00:29 CEST 2007
| 
| > Counters reset Sat Mar 24 17:15:49 CET 2007
| > Chain loc2dmz (1 references)
| >  pkts bytes target     prot opt in     out     source              
destination
| >     0     0 ACCEPT     0    --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
| >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:22
| >     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0           icmp type 8
| >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.20.1        tcp dpt:80 ctorigdst 86.192.32.248
| 
| When you try to browse http://86.192.32.248/, you should see the
''pkts'' and
| ''bytes'' counts above incrementing.

Didn''t change.

| >     0     0 ACCEPT     0    --  *      *       0.0.0.0/0           
0.0.0.0/0
| > 
| > NAT Table
| > 
| > Chain PREROUTING (policy ACCEPT 117K packets, 33M bytes)
| >  pkts bytes target     prot opt in     out     source              
destination
| >  1922  280K net_dnat   0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
| >  115K   32M loc_dnat   0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
| 
| > Chain loc_dnat (1 references)
| >  pkts bytes target     prot opt in     out     source              
destination
| >     0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
86.192.32.248       tcp dpt:80 to:192.168.20.1
| 
| When you try to browse http://86.192.32.248/, you should see the
''pkts'' and
| ''bytes'' counts above incrementing.

Yes, it does.

Someone accessed my website at 18.01.
So it works from outside, not from inside except a
http://192.168.20.1/

mess-mate                               
-- 

Q:	What is orange and goes "click, click?"
A:	A ball point carrot.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | mess-mate wrote:
> ...snip... 
> | Ok -- it looks like you have configured DNAT so that hosts in your local
> | network (connected to eth1) will have TCP connections to 86.192.32.248:80
> | redirected to 192.168.20.1 (which is in your DMZ connected to eth2). But
in
> | the day and a half since you last [re]started Shorewall, not even one TCP
> | connection to 86.192.32.248:80 has arrived on eth1!
> 
> Uhh..you mean eth2 ? ( dmz on eth2)
But ''loc'' is eth1! are you trying to browse from the DMZ? You
have only set up DNAT from the ''loc'' zone (eth1).
> 
> | How are you trying to test this? You can''t test in from the
router itself --
> | you must test from a system behind the router that has it''s
default gateway
> | configured with IP address 192.168.10.254.
> | 
> | And start by trying to browse http://86.192.32.248/ rather than by DNS
name.
> 
> Trying both http://86.192.32.248 and http://www.mywebsite.fr from a
> desktop behind the firewall/router give me ''Connection to
> 86.192.32.248 Failed''
> 
> | > Shorewall-3.2.6 Dump at router - Mon Mar 26 11:00:29 CEST 2007
> | 
> | > Counters reset Sat Mar 24 17:15:49 CET 2007
> | > Chain loc2dmz (1 references)
> | >  pkts bytes target     prot opt in     out     source              
destination
> | >     0     0 ACCEPT     0    --  *      *       0.0.0.0/0           
0.0.0.0/0           state RELATED,ESTABLISHED
> | >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:22
> | >     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0           
0.0.0.0/0           icmp type 8
> | >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.20.1        tcp dpt:80 ctorigdst 86.192.32.248
> | 
> | When you try to browse http://86.192.32.248/, you should see the
''pkts'' and
> | ''bytes'' counts above incrementing.
> 
> Didn''t change.
Then are you seeing a reject message in your log?
> 
> | >     0     0 ACCEPT     0    --  *      *       0.0.0.0/0           
0.0.0.0/0
> | > 
> | > NAT Table
> | > 
> | > Chain PREROUTING (policy ACCEPT 117K packets, 33M bytes)
> | >  pkts bytes target     prot opt in     out     source              
destination
> | >  1922  280K net_dnat   0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
> | >  115K   32M loc_dnat   0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
> | 
> | > Chain loc_dnat (1 references)
> | >  pkts bytes target     prot opt in     out     source              
destination
> | >     0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
86.192.32.248       tcp dpt:80 to:192.168.20.1
> | 
> | When you try to browse http://86.192.32.248/, you should see the
''pkts'' and
> | ''bytes'' counts above incrementing.
> 
> Yes, it does.
Ok -- so to make sure that I understand -- the rule in
''loc_dnat'' increments but the one in loc2dmz does not?
That doesn''t make much sense unless something is broken in your system.
192.168.20.1 is in the DMZ
> 
> Someone accessed my website at 18.01.
That was probably me ;-)
> So it works from outside, not from inside except a
> http://192.168.20.1/
> 
> mess-mate                               
Please:

a) shorewall reset (this clears the counters).
b) start a browser (don''t use one that is already running) and try to
connect to http://86.192.32.248.
c) shorewall dump > dump.txt

Forward the ''dump.txt'' file.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| > Tom Eastep <teastep@shorewall.net> wrote:
| > | mess-mate wrote:
| > ...snip... 
| But ''loc'' is eth1! are you trying to browse from the DMZ?
You have only set up DNAT from the ''loc'' zone (eth1).

No problem accessing loc from dmz.
 
| > Trying both http://86.192.32.248 and http://www.mywebsite.fr from a
| > desktop behind the firewall/router give me ''Connection to
| > 86.192.32.248 Failed''
| > 
| > | > Shorewall-3.2.6 Dump at router - Mon Mar 26 11:00:29 CEST 2007
| > | 
| > | > Counters reset Sat Mar 24 17:15:49 CET 2007
| > | > Chain loc2dmz (1 references)
| > | >  pkts bytes target     prot opt in     out     source             
destination
| > | >     0     0 ACCEPT     0    --  *      *       0.0.0.0/0          
0.0.0.0/0           state RELATED,ESTABLISHED
| > | >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0          
0.0.0.0/0           tcp dpt:22
| > | >     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0          
0.0.0.0/0           icmp type 8
| > | >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0          
192.168.20.1        tcp dpt:80 ctorigdst 86.192.32.248
| > | 
| > | When you try to browse http://86.192.32.248/, you should see the
''pkts'' and
| > | ''bytes'' counts above incrementing.
| > 
| > Didn''t change.
| 
| Then are you seeing a reject message in your log?

Several of this :

Mar 27 10:13:46 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL63 ID=0 DF PROTO=UDP SPT=1107
DPT=53 LEN=38

and this :

tcp      6 114 TIME_WAIT src=192.168.10.2 dst=80.12.242.5 sport=4970
dport=110 packets=6 bytes=326 src=80.12.242.
5 dst=86.192.32.248 sport=110 dport=4970 packets=6 bytes=374
[ASSURED] mark=0 use=1
udp      17 23 src=192.168.10.2 dst=80.10.246.2 sport=1222 dport=53
packets=1 bytes=84 src=80.10.246.2 dst=86.192
.32.248 sport=53 dport=1222 packets=1 bytes=137 mark=0 use=1
tcp      6 5 CLOSE src=192.168.10.2 dst=70.42.39.14 sport=3394
dport=2703 packets=7 bytes=506 src=70.42.39.14 dst
=86.192.32.248 sport=2703 dport=3394 packets=6 bytes=396 [ASSURED]
mark=0 use=1
udp      17 154 src=192.168.10.2 dst=80.10.246.2 sport=1190 dport=53
packets=2 bytes=132 src=80.10.246.2 dst=86.1
92.32.248 sport=53 dport=1190 packets=2 bytes=164 [ASSURED] mark=0
use=1

| 
| Ok -- so to make sure that I understand -- the rule in
''loc_dnat'' increments but the one in loc2dmz does not?
| That doesn''t make much sense unless something is broken in your
system. 192.168.20.1 is in the DMZ

Yes, it is.

| 
| Please:
| 
| a) shorewall reset (this clears the counters).
| b) start a browser (don''t use one that is already running) and try to
connect to http://86.192.32.248.
| c) shorewall dump > dump.txt
| 
| Forward the ''dump.txt'' file.
| 
Ok, is attached .
Thanks
mess-mate                               
-- 


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | Then are you seeing a reject message in your log?
> 
> Several of this :
> 
> Mar 27 10:13:46 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
> DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL> 63 ID=0 DF PROTO=UDP
SPT=1107 DPT=53 LEN=38
These are curious. Host 192.168.10.4 seems to think that there is a DNS
server at 192.168.1.250 which is routed out of eth0. But I assume that the
only thing that you can communicate with via eth0 is your "modem",
right?

These messages apparently didn''t affect the test because the last of
them
was generated well before the test started.
>
> Ok, is attached .
> Thanks
> mess-mate                               
> 
> 
> ------------------------------------------------------------------------
> 
> Shorewall-3.2.6 Dump at router - Tue Mar 27 10:56:22 CEST 2007
> 
> Counters reset Tue Mar 27 10:54:37 CEST 2007
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source              
destination
>    6   300 ACCEPT     0    --  lo     *       0.0.0.0/0           
0.0.0.0/0
>    1   131 ppp0_in    0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
>    5   720 eth1_in    0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0
From the time that you reset the counters until you took the dump, 5
connection attempts addressed to the router were received.

> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
>     0     0 ppp0_fwd   0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
>     0     0 eth1_fwd   0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0
During that same time, no forwarded connection attempts from the
''loc'' zone
was seen.

> NAT Table
> 
> Chain PREROUTING (policy ACCEPT 66 packets, 20745 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 net_dnat   0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
>    66 20745 loc_dnat   0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none

66 new connection attempts were received on eth1.
> 
> Chain net_dnat (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
86.192.32.248       tcp dpt:80 to:192.168.20.1
But none of them were TCP port 80 connections to 86.192.32.248.
> 
> Mangle Table
> 
> Chain PREROUTING (policy ACCEPT 77 packets, 21836 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>    77 21836 tcpre      0    --  *      *       0.0.0.0/0           
0.0.0.0/0
A total of 77 packets were received on eth1.

So there are two possibilities:

a) No TCP connection attempts from the local zone to 86.192.32.248:80 were
received during the test period; or

b) Such connection attempts were received but failed to match the (correct)
DNAT rule in the net_dnat chain.

I guess that the only thing left to do is to reproduce the test while
running tcpdump:

	tcpdump -nei eth1 port 80

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| > Tom Eastep <teastep@shorewall.net> wrote:
| 
| > | Then are you seeing a reject message in your log?
| > 
| > Several of this :
| > 
| > Mar 27 10:13:46 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
| > DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL| > 63 ID=0 DF
PROTO=UDP SPT=1107 DPT=53 LEN=38
| 
| These are curious. Host 192.168.10.4 seems to think that there is a DNS
| server at 192.168.1.250 which is routed out of eth0. But I assume that the
| only thing that you can communicate with via eth0 is your "modem",
right?
| 
| These messages apparently didn''t affect the test because the last of
them
| was generated well before the test started.
| 
| >
| > Ok, is attached .
| > Thanks
| > mess-mate                               
| > 
| > 
| > ------------------------------------------------------------------------
| > 
| > Shorewall-3.2.6 Dump at router - Tue Mar 27 10:56:22 CEST 2007
| > 
| > Counters reset Tue Mar 27 10:54:37 CEST 2007
| >
| > Chain INPUT (policy DROP 0 packets, 0 bytes)
| > pkts bytes target     prot opt in     out     source              
destination
| >    6   300 ACCEPT     0    --  lo     *       0.0.0.0/0           
0.0.0.0/0
| >    1   131 ppp0_in    0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
| >    5   720 eth1_in    0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0
| 
| From the time that you reset the counters until you took the dump, 5
| connection attempts addressed to the router were received.
| 
| 
| > Chain FORWARD (policy DROP 0 packets, 0 bytes)
| >  pkts bytes target     prot opt in     out     source              
destination
| >     0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
| >     0     0 ppp0_fwd   0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0
| >     0     0 eth1_fwd   0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0
| 
| During that same time, no forwarded connection attempts from the
''loc'' zone
| was seen.
| 
| 
| > NAT Table
| > 
| > Chain PREROUTING (policy ACCEPT 66 packets, 20745 bytes)
| >  pkts bytes target     prot opt in     out     source              
destination
| >     0     0 net_dnat   0    --  ppp0   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
| >    66 20745 loc_dnat   0    --  eth1   *       0.0.0.0/0           
0.0.0.0/0           policy match dir in pol none
| 
| 
| 66 new connection attempts were received on eth1.
| 
| > 
| > Chain net_dnat (1 references)
| >  pkts bytes target     prot opt in     out     source              
destination
| >     0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
86.192.32.248       tcp dpt:80 to:192.168.20.1
| 
| But none of them were TCP port 80 connections to 86.192.32.248.
| 
| > 
| > Mangle Table
| > 
| > Chain PREROUTING (policy ACCEPT 77 packets, 21836 bytes)
| >  pkts bytes target     prot opt in     out     source              
destination
| >    77 21836 tcpre      0    --  *      *       0.0.0.0/0           
0.0.0.0/0
| 
| A total of 77 packets were received on eth1.
| 
| So there are two possibilities:
| 
| a) No TCP connection attempts from the local zone to 86.192.32.248:80 were
| received during the test period; or
| 
| b) Such connection attempts were received but failed to match the (correct)
| DNAT rule in the net_dnat chain.
| 
| I guess that the only thing left to do is to reproduce the test while
| running tcpdump:
| 
| 	tcpdump -nei eth1 port 80
| 
That command is still there and that''s all. There is nothing more
displayed.Even if i go to the net from a machine on the lan or from
the dmz. Or from a machine on the lan to the dmz via 86.192.32.248
But eth1 is connected to the lan so ther must be an output, isn''t it ?

mess-mate                               
-- 

When one burns one''s bridges, what a very nice fire it makes.
		-- Dylan Thomas


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> | I guess that the only thing left to do is to reproduce the test while
> | running tcpdump:
> | 
> | 	tcpdump -nei eth1 port 80
> | 
> That command is still there and that''s all. There is nothing more
> displayed.Even if i go to the net from a machine on the lan or from
> the dmz. Or from a machine on the lan to the dmz via 86.192.32.248
> But eth1 is connected to the lan so ther must be an output, isn''t
it ?
Do you have another router on your LAN?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| 
| > | I guess that the only thing left to do is to reproduce the test while
| > | running tcpdump:
| > | 
| > | 	tcpdump -nei eth1 port 80
| > | 
| > That command is still there and that''s all. There is nothing
more
| > displayed.Even if i go to the net from a machine on the lan or from
| > the dmz. Or from a machine on the lan to the dmz via 86.192.32.248
| > But eth1 is connected to the lan so ther must be an output,
isn''t it ?
| 
| Do you have another router on your LAN?
| 
No, but:
- 1 wifi router configured as AP.
- 1 modem Speed touch 510, configured in bridge mode.The reason of
the ppp0.

mess-mate                               
-- 

It is easy to find fault, if one has that disposition.  There was once a man
who, not being able to find any other fault with his coal, complained that
there were too many prehistoric toads in it.
		-- Mark Twain, "Pudd''nhead Wilson''s Calendar"


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | mess-mate wrote:
> | 
> | > | I guess that the only thing left to do is to reproduce the test
while
> | > | running tcpdump:
> | > | 
> | > | 	tcpdump -nei eth1 port 80
> | > | 
> | > That command is still there and that''s all. There is
nothing more
> | > displayed.Even if i go to the net from a machine on the lan or from
> | > the dmz. Or from a machine on the lan to the dmz via 86.192.32.248
> | > But eth1 is connected to the lan so ther must be an output,
isn''t it ?
> | 
> | Do you have another router on your LAN?
> | 
> No, but:
> - 1 wifi router configured as AP.
> - 1 modem Speed touch 510, configured in bridge mode.The reason of
> the ppp0.
Ok -- two tests you can make:

a) From your LAN, access the server by its local IP address (192.168.20.1).
tcpdump should produce output.

b) Now from the same LAN system, try to access your server by its External
IP address (86.192.32.248). tcpdump should also produce output.

If you see output on part a) but not in part b), there is something wrong
with the routing configuration on the LAN system that you are using to test
this.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| mess-mate wrote:
| > Tom Eastep <teastep@shorewall.net> wrote:
| > | mess-mate wrote:
| > | 
| > | > | I guess that the only thing left to do is to reproduce the test
while
| > | > | running tcpdump:
| > | > | 
| > | > | 	tcpdump -nei eth1 port 80
| > | > | 
| > | > That command is still there and that''s all. There is
nothing more
| > | > displayed.Even if i go to the net from a machine on the lan or
from
| > | > the dmz. Or from a machine on the lan to the dmz via 86.192.32.248
| > | > But eth1 is connected to the lan so ther must be an output,
isn''t it ?
| > | 
| > | Do you have another router on your LAN?
| > | 
| > No, but:
| > - 1 wifi router configured as AP.
| > - 1 modem Speed touch 510, configured in bridge mode.The reason of
| > the ppp0.
| 
| Ok -- two tests you can make:
| 
| a) From your LAN, access the server by its local IP address (192.168.20.1).
| tcpdump should produce output.
| 
| b) Now from the same LAN system, try to access your server by its External
| IP address (86.192.32.248). tcpdump should also produce output.
| 
| If you see output on part a) but not in part b), there is something wrong
| with the routing configuration on the LAN system that you are using to test
| this.
| 
I did and a) produce output but not b) ( on the router where
shorewall is running).
I checked the modem ( speed touch 510), seems ok, runs in bridge mode.
I''l replace the modem by a one without any other possible services;
a simpel one.
And let it know.

Thanks and best regards
mess-mate                               
-- 

question = ( to ) ? be : ! be;
		-- Wm. Shakespeare


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | mess-mate wrote:
> | > Tom Eastep <teastep@shorewall.net> wrote:
> | > | mess-mate wrote:
> | > | 
> | > | > | I guess that the only thing left to do is to reproduce the
test while
> | > | > | running tcpdump:
> | > | > | 
> | > | > | 	tcpdump -nei eth1 port 80
> | > | > | 
> | > | > That command is still there and that''s all. There is
nothing more
> | > | > displayed.Even if i go to the net from a machine on the lan
or from
> | > | > the dmz. Or from a machine on the lan to the dmz via
86.192.32.248
> | > | > But eth1 is connected to the lan so ther must be an output,
isn''t it ?
> | > | 
> | > | Do you have another router on your LAN?
> | > | 
> | > No, but:
> | > - 1 wifi router configured as AP.
> | > - 1 modem Speed touch 510, configured in bridge mode.The reason of
> | > the ppp0.
> | 
> | Ok -- two tests you can make:
> | 
> | a) From your LAN, access the server by its local IP address
(192.168.20.1).
> | tcpdump should produce output.
> | 
> | b) Now from the same LAN system, try to access your server by its
External
> | IP address (86.192.32.248). tcpdump should also produce output.
> | 
> | If you see output on part a) but not in part b), there is something wrong
> | with the routing configuration on the LAN system that you are using to
test
> | this.
> | 
> I did and a) produce output but not b) ( on the router where
> shorewall is running).
> I checked the modem ( speed touch 510), seems ok, runs in bridge mode.
> I''l replace the modem by a one without any other possible
services;
> a simpel one.
>
I suspect that what you need to do is simply change the default gateway to
point to the IP address of the internal interface of the Shorewall router.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
>>
> 
> I suspect that what you need to do is simply change the default gateway to
> point to the IP address of the internal interface of the Shorewall router.
> 
Groan -- that should have been "... to *point* to the IP ...".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Tom Eastep wrote:
> 
>> I suspect that what you need to do is simply change the default gateway
to
>> point to the IP address of the internal interface of the Shorewall
router.
>>
> 
> Groan -- that should have been "... to *point* to the IP ...".
Hmmm -- I guess I need to get my eyes tested; the original said what I wanted
in the first place...

-Tom (maybe the mind isn''t the first to go -- although maybe it is)
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| Tom Eastep wrote:
| > Tom Eastep wrote:
| > 
| >> I suspect that what you need to do is simply change the default
gateway to
| >> point to the IP address of the internal interface of the Shorewall
router.
| >>
| > 
| > Groan -- that should have been "... to *point* to the IP ...".
| 
| Hmmm -- I guess I need to get my eyes tested; the original said what I wanted
| in the first place...
| 
Ok, changing the modem didn''t change anything :( So replaced with
the original (st510).
But..... had to reboot and when shorewall stopped and started the message
''
find_first_interface_address not found line 27 '' is still there !

''Network is unreacheble'' if changing the default gateway for
the lan or dmz machines.
I followed the ''three-interfaces'' doc; see here on the
shorewall
router :
ip route ls
193.253.160.3 dev ppp0  proto kernel  scope link  src 86.207.39.186
192.168.20.0/24 dev eth2  proto kernel  scope link  src 192.168.20.254
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
192.168.10.0/24 dev eth1  proto kernel  scope link  src 192.168.10.254
default dev ppp0  scope link

ip addr ls
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
    valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500
qdisc pfifo_fast qlen 1000
    link/ether 00:04:76:12:3e:75 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.254/24 brd 192.168.20.255 scope global eth2
    inet6 fe80::204:76ff:fe12:3e75/64 scope link
    valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500
qdisc pfifo_fast qlen 1000
    link/ether 00:e0:29:3c:34:bd brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1
    inet6 fe80::2e0:29ff:fe3c:34bd/64 scope link
    valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
qdisc pfifo_fast qlen 1000
    link/ether 00:80:c8:ec:92:b5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::280:c8ff:feec:92b5/64 scope link
    valid_lft forever preferred_lft forever
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000>
mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 86.207.39.186 peer 193.253.160.3/32 scope global ppp0
	
and part of a ''tcpdump'' :
15:43:25.419267 arp who-has router.laplaceverte.fr tell
st510.laplaceverte.fr
( st510 is the modem )
15:43:25.419340 arp reply router.laplaceverte.fr is-at
00:80:c8:ec:92:b5 (oui Unknown)

( the unknown came from the modem where i didn''t set a name for it)

Please keep in mind that shorewall runs fine otherwise. The only
thing i can''t do is accessing the dmz from the lan via the net, and
that ''find_first_interface_address not found line 27''.
As i said that message is only there on a start or stop of
shorewall, not when shorewall is running and restarting it.

If this can help

best regards
mess-mate                               
-- 

You will outgrow your usefulness.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | Tom Eastep wrote:
> | > Tom Eastep wrote:
> | > 
> | >> I suspect that what you need to do is simply change the default
gateway to
> | >> point to the IP address of the internal interface of the
Shorewall router.
> | >>
> | > 
> | > Groan -- that should have been "... to *point* to the IP
...".
> | 
> | Hmmm -- I guess I need to get my eyes tested; the original said what I
wanted
> | in the first place...
> | 
> Ok, changing the modem didn''t change anything :( So replaced with
> the original (st510).
Your the one that decided to replace the modem. No one on this list
suggested that the modem was the problem.
> But..... had to reboot and when shorewall stopped and started the message
''
> find_first_interface_address not found line 27 '' is still there !
I don''t know what else I can do. I''ve asked for a trace that
shows the
problem and you keep sending me traces that don''t show the problem.
There is
nothing more that I can do -- I can''t come to France and look over your
shoulder.
> 
> ''Network is unreacheble'' if changing the default gateway
for the lan or dmz machines.
> I followed the ''three-interfaces'' doc; see here on the
shorewall
> router :
> ip route ls
> 193.253.160.3 dev ppp0  proto kernel  scope link  src 86.207.39.186
> 192.168.20.0/24 dev eth2  proto kernel  scope link  src 192.168.20.254
> 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
> 192.168.10.0/24 dev eth1  proto kernel  scope link  src 192.168.10.254
> default dev ppp0  scope link
I didn''t suggest that routing on the Shorewall box is wrong. You have
conclusively proved that when you try to access the web server using address
86.207.39.186 (I see that it has changed), that the connect request IS NOT
REACHING THE SHOREWALL SYSTEM. No router in the world can route packets that
are not sent to it.
> 
> Please keep in mind that shorewall runs fine otherwise. The only
> thing i can''t do is accessing the dmz from the lan via the net,
And you have proved that problem has nothing to do with Shorewall or the
Shorewall system.

 and
> that ''find_first_interface_address not found line 27''.
> As i said that message is only there on a start or stop of
> shorewall, not when shorewall is running and restarting it.
And I can''t help you with that unless you can trace it happening.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| > But..... had to reboot and when shorewall stopped and started the message
''
| > find_first_interface_address not found line 27 '' is still there
!
| 
| I don''t know what else I can do. I''ve asked for a trace that
shows the
| problem and you keep sending me traces that don''t show the problem.
There is
| nothing more that I can do -- I can''t come to France and look over
your
| shoulder.

Why not, we do B&B -:)

| > Please keep in mind that shorewall runs fine otherwise. The only
| > thing i can''t do is accessing the dmz from the lan via the net,
| 
| And you have proved that problem has nothing to do with Shorewall or the
| Shorewall system.
| 
|  and
| > that ''find_first_interface_address not found line 27''.
| > As i said that message is only there on a start or stop of
| > shorewall, not when shorewall is running and restarting it.
| 
| And I can''t help you with that unless you can trace it happening.
| 
I can''t trace it, it only occurs at a shorewall start or stop.
Seems ''functions'' can''t be found BEFORE the start of
shorewall.
So if shorewall isn''t started how can it run
''find_first_interface_address'' ?
The /etc/shorewall/params try to be founded (?) just before
the start of shorewall.


mess-mate                               
-- 

My only love sprung from my only hate!
Too early seen unknown, and known too late!
		-- William Shakespeare, "Romeo and Juliet"


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> Tom Eastep <teastep@shorewall.net> wrote:
> | > But..... had to reboot and when shorewall stopped and started the
message ''
> | > find_first_interface_address not found line 27 '' is still
there !
> | 
> | I don''t know what else I can do. I''ve asked for a trace
that shows the
> | problem and you keep sending me traces that don''t show the
problem. There is
> | nothing more that I can do -- I can''t come to France and look
over your
> | shoulder.
> 
> Why not, we do B&B -:)
I know -- looks very nice too ;-)
> 
> | > Please keep in mind that shorewall runs fine otherwise. The only
> | > thing i can''t do is accessing the dmz from the lan via the
net,
> | 
> | And you have proved that problem has nothing to do with Shorewall or the
> | Shorewall system.
> | 
> |  and
> | > that ''find_first_interface_address not found line
27''.
> | > As i said that message is only there on a start or stop of
> | > shorewall, not when shorewall is running and restarting it.
> | 
> | And I can''t help you with that unless you can trace it
happening.
> | 
> I can''t trace it, it only occurs at a shorewall start or stop.
> Seems ''functions'' can''t be found BEFORE the
start of shorewall.
> So if shorewall isn''t started how can it run
> ''find_first_interface_address'' ?
> The /etc/shorewall/params try to be founded (?) just before
> the start of shorewall.
Then you should be able to reproduce it with "shorewall stop;shorewall
start"

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
>> I can''t trace it, it only occurs at a shorewall start or stop.
>> Seems ''functions'' can''t be found BEFORE the
start of shorewall.
>> So if shorewall isn''t started how can it run
>> ''find_first_interface_address'' ?
>> The /etc/shorewall/params try to be founded (?) just before
>> the start of shorewall.
> 
> Then you should be able to reproduce it with "shorewall stop;shorewall
start"
Here''s one possibility. Try this:

- shorewall stop
- shorewall start -f

Do you see the message then? If so:

- shorewall forget

Reason: At some point when you had an incorrect configuration, you
issued a "shorewall save" command. The "shorewall forget"
command
reverses the effect of "shorewall save".

And during system boot, Shorewall tries to speed up the boot process by
using "shorewall start -f" which restores the last saved
configuration,
if any (otherwise it does a normal ''shorewall start'').

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| Tom Eastep wrote:
| 
| >> I can''t trace it, it only occurs at a shorewall start or
stop.
| >> Seems ''functions'' can''t be found BEFORE
the start of shorewall.
| >> So if shorewall isn''t started how can it run
| >> ''find_first_interface_address'' ?
| >> The /etc/shorewall/params try to be founded (?) just before
| >> the start of shorewall.
| > 
| > Then you should be able to reproduce it with "shorewall
stop;shorewall start"
| 
| Here''s one possibility. Try this:
| 
| - shorewall stop
| - shorewall start -f
| 
| Do you see the message then? If so:

No the message is not there, but .....

| 
| - shorewall forget
| 
| Reason: At some point when you had an incorrect configuration, you
| issued a "shorewall save" command. The "shorewall forget"
command
| reverses the effect of "shorewall save".
| 
| And during system boot, Shorewall tries to speed up the boot process by
| using "shorewall start -f" which restores the last saved
configuration,
| if any (otherwise it does a normal ''shorewall start'').
| 
The fault is here: /etc/init.d/shorewall  ( debian ).
When i do a ''/etc/init.d/shorewall stop'' or
/etc/init.d/shorewall
start'', the message is there !

But a ''shorewall stop'' or ''shorewall start'',
there is no message.
Here i call directly /sbin/shorewall and not /etc/init.d/shorewall !

Here is the shorewall file called on boot.

mess-mate                               
-- 

You have had a long-term stimulation relative to business.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

mess-mate wrote:
> The fault is here: /etc/init.d/shorewall  ( debian ).
> When i do a ''/etc/init.d/shorewall stop'' or
/etc/init.d/shorewall
> start'', the message is there !
> 
> But a ''shorewall stop'' or ''shorewall
start'', there is no message.
> Here i call directly /sbin/shorewall and not /etc/init.d/shorewall !
> 
> Here is the shorewall file called on boot.
The following is the problem:
> # parse the shorewall params file in order to use params in
> # /etc/default/shorewall
> if [ -f "/etc/shorewall/params" ]
> then
> 	. /etc/shorewall/params
> fi
That bit of code works fine if the params file contains just simple
assignment statements. But if, as in your case, the params file contains
calls to shorewall library function, then the ''not found''
message is emitted.

You can eliminate the problem by adding this code at the top of your
/etc/shorewall/params file:

	[ -n "$SHOREWALL_LIBVERSION" ] && .
/usr/share/shorewall/functions

-Tom

PS -- I''ve BCC''ed the Debian Shorewall maintainer on this this
response.

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> mess-mate wrote:
> 
>> The fault is here: /etc/init.d/shorewall  ( debian ).
>> When i do a ''/etc/init.d/shorewall stop'' or
/etc/init.d/shorewall
>> start'', the message is there !
>>
>> But a ''shorewall stop'' or ''shorewall
start'', there is no message.
>> Here i call directly /sbin/shorewall and not /etc/init.d/shorewall !
>>
>> Here is the shorewall file called on boot.
> 
> The following is the problem:
> 
>> # parse the shorewall params file in order to use params in
>> # /etc/default/shorewall
>> if [ -f "/etc/shorewall/params" ]
>> then
>> 	. /etc/shorewall/params
>> fi
> 
> That bit of code works fine if the params file contains just simple
> assignment statements. But if, as in your case, the params file contains
> calls to shorewall library function, then the ''not found''
message is emitted.
> 
> You can eliminate the problem by adding this code at the top of your
> /etc/shorewall/params file:
> 
> 	[ -n "$SHOREWALL_LIBVERSION" ] && .
/usr/share/shorewall/functions
That of course should have been:

    [ -n "$SHOREWALL_LIBVERSION" ] || . /usr/share/shorewall/functions

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep <teastep@shorewall.net> wrote:
| Tom Eastep wrote:
| > mess-mate wrote:
| > 
| >> The fault is here: /etc/init.d/shorewall  ( debian ).
| >> When i do a ''/etc/init.d/shorewall stop'' or
/etc/init.d/shorewall
| >> start'', the message is there !
| >>
| >> But a ''shorewall stop'' or ''shorewall
start'', there is no message.
| >> Here i call directly /sbin/shorewall and not /etc/init.d/shorewall !
| >>
| >> Here is the shorewall file called on boot.
| > 
| > The following is the problem:
| > 
| >> # parse the shorewall params file in order to use params in
| >> # /etc/default/shorewall
| >> if [ -f "/etc/shorewall/params" ]
| >> then
| >> 	. /etc/shorewall/params
| >> fi
| > 
| > That bit of code works fine if the params file contains just simple
| > assignment statements. But if, as in your case, the params file contains
| > calls to shorewall library function, then the ''not
found'' message is emitted.
| > 
| > You can eliminate the problem by adding this code at the top of your
| > /etc/shorewall/params file:
| > 
| > 	[ -n "$SHOREWALL_LIBVERSION" ] && .
/usr/share/shorewall/functions
| 
| That of course should have been:
| 
|     [ -n "$SHOREWALL_LIBVERSION" ] || .
/usr/share/shorewall/functions
| 
Thanks Tom, it did the trick; no more ''not found'' message.
Maybe it would be usefull to add it to the FAQ, do it ?

I continue searching why the connection is refused and i suspect a
squid (proxy)/shorewall configuration. The message a receive when i
try to connect to my webpage on the dmz:
While trying to retrieve the URL: http://86.192.102.89/

The following error was encountered:

    * Connection to 86.192.102.89 Failed 
    
    The system returned:
    
        (111) Connection refused
	
The remote host or network may be down. Please try the
request again. 
Generated Mon, 09 Apr 2007 07:15:09 GMT by router.laplaceverte.fr
(squid/2.6.STABLE5)

Seems the connection try to pass through the proxy(? squid) ?



mess-mate                               
-- 

You will be married within a year, and divorced within two.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV