Hi,
can''t get it working :(
This is what i have when http://www.laplaceverte.fr :
While trying to retrieve the URL: http://www.laplaceverte.fr/
The following error was encountered:
* Connection to 86.192.96.249 Failed
The system returned:
(111) Connection refused
The remote host or network may be down. Please try the
request again.
ppp0 point to 86.192.96.249 and in the /etc/shorewall/rules i''ve:
DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IP
Web/DNAT net dmz:192.168.20.1
anything wrong with the rules ?
mess-mate
--
Q: Minnesotans ask, "Why aren''t there more pharmacists from
Alabama?"
A: Easy. It''s because they can''t figure out how to get the
little
bottles into the typewriter.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
mess-mate wrote:> Hi, > can''t get it working :( > This is what i have when http://www.laplaceverte.fr : > While trying to retrieve the URL: http://www.laplaceverte.fr/ > > The following error was encountered: > > * Connection to 86.192.96.249 Failed > > The system returned: > > (111) Connection refused > > The remote host or network may be down. Please try the > request again. > > ppp0 point to 86.192.96.249 and in the /etc/shorewall/rules i''ve: > DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IP > Web/DNAT net dmz:192.168.20.1 > > anything wrong with the rules ?That''s like saying "The sky is blue" then asking "anything wrong with that sentence?". While the sky may very well be blue, it might also be a gray cloudy day. In other words, the correctness of the rules that you posted cannot be determined by looking at them out of context. They don''t look obviously wrong. IIRC, when we last visited this problem, the connection failure only occurred from the ''loc'' zone. Furthermore, a tcpdump running during a connection attempt revealed that no tcp port 80 traffic to 86.192.96.249 was reaching the Shorewall box. Is that still the case? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep <teastep@shorewall.net> wrote: | mess-mate wrote: | > Hi, | > can''t get it working :( | > This is what i have when http://www.laplaceverte.fr : | > While trying to retrieve the URL: http://www.laplaceverte.fr/ | > | > The following error was encountered: | > | > * Connection to 86.192.96.249 Failed | > | > The system returned: | > | > (111) Connection refused | > | > The remote host or network may be down. Please try the | > request again. | > | > ppp0 point to 86.192.96.249 and in the /etc/shorewall/rules i''ve: | > DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IP | > Web/DNAT net dmz:192.168.20.1 | > | > anything wrong with the rules ? | | That''s like saying "The sky is blue" then asking "anything wrong with that | sentence?". While the sky may very well be blue, it might also be a gray | cloudy day. In other words, the correctness of the rules that you posted | cannot be determined by looking at them out of context. They don''t look | obviously wrong. | | IIRC, when we last visited this problem, the connection failure only | occurred from the ''loc'' zone. Furthermore, a tcpdump running during a | connection attempt revealed that no tcp port 80 traffic to 86.192.96.249 was | reaching the Shorewall box. Is that still the case? | | -Tom | -- Did a test with the proxy settings OFF on the browsers. The browsers on the machines are configured to pass trough the proxy. So configured a browser to connect direct to internet ( no proxy config) and i got my website and also all other websites. I don''t understand exactly why the browsers are to have a direct connection to internet now ? mess-mate -- Q: What''s a light-year? A: One-third less calories than a regular year. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:> Tom Eastep <teastep@shorewall.net> wrote: > | mess-mate wrote: > | > Hi, > | > can''t get it working :( > | > This is what i have when http://www.laplaceverte.fr : > | > While trying to retrieve the URL: http://www.laplaceverte.fr/ > | > > | > The following error was encountered: > | > > | > * Connection to 86.192.96.249 Failed > | > > | > The system returned: > | > > | > (111) Connection refused > | > > | > The remote host or network may be down. Please try the > | > request again. > | > > | > ppp0 point to 86.192.96.249 and in the /etc/shorewall/rules i''ve: > | > DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IP > | > Web/DNAT net dmz:192.168.20.1 > | > > | > anything wrong with the rules ? > | > | That''s like saying "The sky is blue" then asking "anything wrong with that > | sentence?". While the sky may very well be blue, it might also be a gray > | cloudy day. In other words, the correctness of the rules that you posted > | cannot be determined by looking at them out of context. They don''t look > | obviously wrong. > | > | IIRC, when we last visited this problem, the connection failure only > | occurred from the ''loc'' zone. Furthermore, a tcpdump running during a > | connection attempt revealed that no tcp port 80 traffic to 86.192.96.249 was > | reaching the Shorewall box. Is that still the case? > | > | -Tom > | -- > Did a test with the proxy settings OFF on the browsers. > > The browsers on the machines are configured to pass trough the proxy. > So configured a browser to connect direct to internet ( no proxy > config) and i got my website and also all other websites. > > I don''t understand exactly why the browsers are to have a direct > connection to internet now ? > > mess-mateI assume that the proxy is running on the same system as Shorewall? If so, then it is the proxy that attempts to connect to www.laplaceverte.fr that is a fw->fw connection (since the IP address of www.laplaceverte.fr is local to the Shorewall system). You can work around this by adding this rule: DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep <teastep@shorewall.net> wrote: | mess-mate wrote: | > Tom Eastep <teastep@shorewall.net> wrote: | > | mess-mate wrote: | > | > Hi, | > | > can''t get it working :( | > | > This is what i have when http://www.laplaceverte.fr : | > | > While trying to retrieve the URL: http://www.laplaceverte.fr/ | > | > | > | > The following error was encountered: | > | > | > | > * Connection to 86.192.96.249 Failed | > | > | > | > The system returned: | > | > | > | > (111) Connection refused | > | > | > | > The remote host or network may be down. Please try the | > | > request again. | > | > | > | > ppp0 point to 86.192.96.249 and in the /etc/shorewall/rules i''ve: | > | > DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IP | > | > Web/DNAT net dmz:192.168.20.1 | > | > | > | > anything wrong with the rules ? | > | | > | That''s like saying "The sky is blue" then asking "anything wrong with that | > | sentence?". While the sky may very well be blue, it might also be a gray | > | cloudy day. In other words, the correctness of the rules that you posted | > | cannot be determined by looking at them out of context. They don''t look | > | obviously wrong. | > | | > | IIRC, when we last visited this problem, the connection failure only | > | occurred from the ''loc'' zone. Furthermore, a tcpdump running during a | > | connection attempt revealed that no tcp port 80 traffic to 86.192.96.249 was | > | reaching the Shorewall box. Is that still the case? | > | | > | -Tom | > | -- | > Did a test with the proxy settings OFF on the browsers. | > | > The browsers on the machines are configured to pass trough the proxy. | > So configured a browser to connect direct to internet ( no proxy | > config) and i got my website and also all other websites. | > | > I don''t understand exactly why the browsers are to have a direct | > connection to internet now ? | > | > mess-mate | | I assume that the proxy is running on the same system as Shorewall? If so, | then it is the proxy that attempts to connect to www.laplaceverte.fr that is | a fw->fw connection (since the IP address of www.laplaceverte.fr is local to | the Shorewall system). | | You can work around this by adding this rule: | | DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP | | -Tom | -- OK it''s done and working, thanks. Now a connection can be made with a browser ''with or without'' configured to connect with the proxy. Is this line still usefull ? DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IP mess-mate -- Q: What do you call a principal female opera singer whose high C is lower than those of other principal female opera singers? A: A deep C diva. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:> Is this line still usefull ? > DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IPIt is not useful if all HTTP clients in the ''loc'' zone use the proxy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep <teastep@shorewall.net> wrote: | mess-mate wrote: | | > Is this line still usefull ? | > DNAT loc dmz:192.168.20.1 tcp 80 - $ETH0_IP | | It is not useful if all HTTP clients in the ''loc'' zone use the proxy. | | -Tom | -- There is no difference as http client when this line is disabled or not.So there is no need for them to configure the browser settings connection to a proxy. The purpose was to force http clients going trough the proxy and shorewall of course. mess-mate -- Many enraged psychiatrists are inciting a weary butcher. The butcher is weary and tired because he has cut meat and steak and lamb for hours and weeks. He does not desire to chant about anything with raving psychiatrists, but he sings about his gingivectomist, he dreams about a single cosmologist, he thinks about his dog. The dog is named Herbert. -- Racter, "The Policeman''s Beard is Half-Constructed" ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/