Hello list,
I have set up a network similar to the two-interface howto. The external
interface''s IP address is updated with a dynamic dns service; call it
''
example.dyndns.org''. We have an internal mail server, and shorewall
forwards the SMTP and IMAP ports to it using a DNAT rule. We have laptops
that we carry about, sometimes on the internal network, sometimes outside.
We''d like to have a single mail client configuration where the laptops
can
connect to example.dyndns.org regardless of whether they''re on the
internal
network or on the internet.
Shorewall, however, will not forward traffic from the internal network to
the internal network, which makes sense. When an internal machine tries to
connect to example.dynddns.org:imap, shorewall logs the rejected packet:
Sep 6 18:06:31 example kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.100 DST=192.168.3.2 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=55357
DF PROTO=TCP SPT=59969 DPT=143 WINDOW=5840 RES=0x00 SYN URGP=0
This makes sense, of course, since traffic to and from the same subnet
shouldn''t be routed. I''m hoping that there will be a way to
convince
Shorewall to SNAT the packet out before it is DNATted back in, or something,
such that this makes sense from a routing standpoint.
Thanks!
John
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
John Morris wrote:> > This makes sense, of course, since traffic to and from the same subnet > shouldn''t be routed. I''m hoping that there will be a way to convince > Shorewall to SNAT the packet out before it is DNATted back in, or > something, such that this makes sense from a routing standpoint.Shorewall FAQ 2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
You rock. Shorewall rocks. And I found the answer to the question I will
have once I put a replicated LDAP server onto our DMZ so that the mail
server can function there.
John
On 9/6/07, Tom Eastep <teastep@shorewall.net>
wrote:>
> John Morris wrote:
>
> >
> > This makes sense, of course, since traffic to and from the same subnet
> > shouldn''t be routed. I''m hoping that there will be
a way to convince
> > Shorewall to SNAT the packet out before it is DNATted back in, or
> > something, such that this makes sense from a routing standpoint.
>
> Shorewall FAQ 2.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/