Hi, maybe there is something wrong with my tree interface configuration. I followed http://www.shorewall.net/three-interface.htm, Figure 3 DMZ. I can access from the DMZ and the loc the firewall/router but can''t access FROM the firewall/router those machines with a https connection. A https://machine1:10000 from the firewall/router give me ''Error - Access denied for 192.168.10.254'' here is my ifconfig: eth0 Link encap:Ethernet HWaddr 00:06:29:34:4C:40 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::206:29ff:fe34:4c40/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:797302 errors:0 dropped:0 overruns:0 frame:0 TX packets:690141 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:491529654 (468.7 MiB) TX bytes:76357668 (72.8 MiB) eth1 Link encap:Ethernet HWaddr 00:50:BA:F1:65:2F inet addr:192.168.10.254 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::250:baff:fef1:652f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1086119 errors:0 dropped:0 overruns:0 frame:86 TX packets:760060 errors:0 dropped:0 overruns:0 carrier:0 collisions:29655 txqueuelen:1000 RX bytes:242628796 (231.3 MiB) TX bytes:410624341 (391.6 MiB) Interrupt:6 Base address:0x7400 eth2 Link encap:Ethernet HWaddr 00:A0:CC:3F:48:3E inet addr:192.168.20.254 Bcast:192.168.20.255 Mask:255.255.255.0 inet6 addr: fe80::2a0:ccff:fe3f:483e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:45453 errors:1 dropped:0 overruns:0 frame:0 TX packets:49112 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14544376 (13.8 MiB) TX bytes:36323759 (34.6 MiB) Interrupt:6 Base address:0x7800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:113966 errors:0 dropped:0 overruns:0 frame:0 TX packets:113966 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:61524487 (58.6 MiB) TX bytes:61524487 (58.6 MiB) ppp0 Link encap:Point-to-Point Protocol inet addr:86.192.34.35 P-t-P:193.253.160.3 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:17857 errors:0 dropped:0 overruns:0 frame:0 TX packets:16945 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:7630093 (7.2 MiB) TX bytes:2081788 (1.9 MiB) And this is a ''route'' from machine1 : Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.10.0 * 255.255.255.0 U 0 0 0 eth0 default 192.168.10.254 0.0.0.0 UG 0 0 0 eth0 All goes well when i do a http://machine1 or a ssh or whatever from the router/firewall; only that https won''t work. Https seems closed from the net. mess-mate -- Repartee is something we think of twenty-four hours too late. -- Mark Twain ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hi, maybe there is something wrong with my tree interface configuration. I followed http://www.shorewall.net/three-interface.htm, Figure 3 DMZ. I can access from the DMZ and the loc the firewall/router but can''t access FROM the firewall/router those machines with a https connection. A https://machine1:10000 from the firewall/router give me ''Error - Access denied for 192.168.10.254'' and her is a shorewall dump (shore.dump.tgz) best regards mess-mate -- Repartee is something we think of twenty-four hours too late. -- Mark Twain ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:> Hi, > maybe there is something wrong with my tree interface configuration. > I followed http://www.shorewall.net/three-interface.htm, Figure 3 DMZ. > I can access from the DMZ and the loc the firewall/router but can''t > access FROM the firewall/router those machines with a https > connection. > A https://machine1:10000 from the firewall/router give me > ''Error - Access denied for 192.168.10.254''What makes you think this problem has anything to do with Shorewall? Are these connections allowed if you momentarily ''shorewall clear''? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:>maybe there is something wrong with my tree interface configuration. >I followed http://www.shorewall.net/three-interface.htm, Figure 3 DMZ. >I can access from the DMZ and the loc the firewall/router but can''t >access FROM the firewall/router those machines with a https >connection. >A https://machine1:10000 from the firewall/router give me >''Error - Access denied for 192.168.10.254''Have you configured miniserv.conf in /etc/webmin ? By default this usually has a line like allow=127.0.0.0/24 which you need to change to something like allow=127.0.0.0/24 a.b.c.d/24 w.x.y.z/16 The clue is in the error ''Error - Access denied for 192.168.10.254'' which indicates that you got a connection and the server returned something, but the server wasn''t prepared to give you the data you wanted. Completely different to the firewall blocking packets. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep <teastep@shorewall.net> wrote: | mess-mate wrote: | > Hi, | > maybe there is something wrong with my tree interface configuration. | > I followed http://www.shorewall.net/three-interface.htm, Figure 3 DMZ. | > I can access from the DMZ and the loc the firewall/router but can''t | > access FROM the firewall/router those machines with a https | > connection. | > A https://machine1:10000 from the firewall/router give me | > ''Error - Access denied for 192.168.10.254'' | | What makes you think this problem has anything to do with Shorewall? Are | these connections allowed if you momentarily ''shorewall clear''? | No difference after a shorewall clear :( Only the lan machines (sarge) couldn''t be accessed, but the DMZ machine can. That''s why i tought a misconfigured shorewall. So this seems not the case and Simon got me on the right way: it''s a webmin problem between a debain/sarge package installed on machine1 and a *.deb package downloaded from the webmin site and installed on the DMZ machine (debian/etch). They are not the same nor the version of course. Sorry for the noise and thanks for the reply. mess-mate -- Q: What did Tarzan say when he saw the elephants coming over the hill? A: "The elephants are coming over the hill." Q: What did he say when saw them coming over the hill wearing sunglasses? A: Nothing, for he didn''t recognize them. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Simon Hobson <linux@thehobsons.co.uk> wrote: | mess-mate wrote: | | >maybe there is something wrong with my tree interface configuration. | >I followed http://www.shorewall.net/three-interface.htm, Figure 3 DMZ. | >I can access from the DMZ and the loc the firewall/router but can''t | >access FROM the firewall/router those machines with a https | >connection. | >A https://machine1:10000 from the firewall/router give me | >''Error - Access denied for 192.168.10.254'' | | Have you configured miniserv.conf in /etc/webmin ? | | By default this usually has a line like | allow=127.0.0.0/24 | which you need to change to something like | allow=127.0.0.0/24 a.b.c.d/24 w.x.y.z/16 | | | The clue is in the error ''Error - Access denied for 192.168.10.254'' | which indicates that you got a connection and the server returned | something, but the server wasn''t prepared to give you the data you | wanted. Completely different to the firewall blocking packets. | You are right, it''s a webmin problem. But depending on the version of it there is no ''allow'' line present in the 1.350 version but it is in the 1.180 version. Thanks to put me on the right way even if it is not a shorewall question. best regards mess-mate -- Let me put it this way: today is going to be a learning experience. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/