Hello, We are using shorewall-3.0.7-1, I was tried the video conference server doesn''t via shorewall that was no problem, can I upgrade shorewall version to fix this problem ? our boss need use video conference this few days, so this is emergency. Thx ~~ --------------------------------- Yahoo! 網上安全攻略,教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Fri, 2007-11-23 at 11:01 +0800, Wilson Kwok wrote:> Hello, > > We are using shorewall-3.0.7-1, I was tried the video conference > server doesn''t via shorewall that was no problem, can I upgrade > shorewall version to fix this problem ? our boss need use video > conference this few days, so this is emergency.Wilson, When you are using Open Source software, there are no emergencies. In the case of Shorewall: a) The software is free. b) The software comes with no guarantee whatsoever. c) The people who support the software are unpaid volunteers. That having been said, your report contains no information that would allow us to help you. The guidelines for reporting problems haven''t changed ( see http://www.shorewall.net/support.htm#Guidelines ); we still need the same information. Also, it would be helpful to know what standard (if any) the video conference software is based on. Hopefully someone on the list has used similar software and will be willing to help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hello Tom, I made the dump with gzip, send this dump to which email address? Thx Tom Eastep <teastep@shorewall.net> 說: On Fri, 2007-11-23 at 11:01 +0800, Wilson Kwok wrote:> Hello, > > We are using shorewall-3.0.7-1, I was tried the video conference > server doesn''t via shorewall that was no problem, can I upgrade > shorewall version to fix this problem ? our boss need use video > conference this few days, so this is emergency.Wilson, When you are using Open Source software, there are no emergencies. In the case of Shorewall: a) The software is free. b) The software comes with no guarantee whatsoever. c) The people who support the software are unpaid volunteers. That having been said, your report contains no information that would allow us to help you. The guidelines for reporting problems haven''t changed ( see http://www.shorewall.net/support.htm#Guidelines ); we still need the same information. Also, it would be helpful to know what standard (if any) the video conference software is based on. Hopefully someone on the list has used similar software and will be willing to help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- Yahoo! 網上安全攻略,教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Wilson Kwok wrote:> Hello Tom, > > I made the dump with gzip, send this dump to which email address? >Wilson, http://www.shorewall.net/support.htm#Where tells you where to send your collected problem information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Ok, I sent to support@shorewall.net. Tom Eastep <teastep@shorewall.net> 說: Wilson Kwok wrote:> Hello Tom, > > I made the dump with gzip, send this dump to which email address? >Wilson, http://www.shorewall.net/support.htm#Where tells you where to send your collected problem information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- Yahoo! 網上安全攻略,教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Wilson Kwok wrote:> Ok, I sent to support@shorewall.net. >Wilson, You make it very hard for us to help you. At http://www.shorewall.net/support.htm#Guidelines, I write: a) If Shorewall isn''t started then /sbin/shorewall start. Otherwise /sbin/shorewall reset. b) Try making the connection that is failing. c) /sbin/shorewall dump > /tmp/status.txt d) Post the /tmp/status.txt file as an attachment compressed with gzip or bzip2. e) Describe where you are trying to make the connection from (IP address) and what host (IP address) you are trying to connect to. You did c) AND d). Did you think that a), b) and e) didn''t apply to you? It was three days from the time that Shorewall was last [re]started and when you took the dump. That means that all of the counters in the dump you sent are useless in trying to understand your problem. And without e), we have no clue what we are even looking for in the dump. Wilson -- THIS IS YOUR PROBLEM, NOT OURS. We can try to help you but it is YOUR boss that expect YOU to solve this problem. We can''t do it for you and we can''t help you at all if we don''t have the information we ask for. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Sorry Tom, I sent the dump file to support again. Tom Eastep <teastep@shorewall.net> 說: Wilson Kwok wrote:> Ok, I sent to support@shorewall.net. >Wilson, You make it very hard for us to help you. At http://www.shorewall.net/support.htm#Guidelines, I write: a) If Shorewall isn''t started then /sbin/shorewall start. Otherwise /sbin/shorewall reset. b) Try making the connection that is failing. c) /sbin/shorewall dump > /tmp/status.txt d) Post the /tmp/status.txt file as an attachment compressed with gzip or bzip2. e) Describe where you are trying to make the connection from (IP address) and what host (IP address) you are trying to connect to. You did c) AND d). Did you think that a), b) and e) didn''t apply to you? It was three days from the time that Shorewall was last [re]started and when you took the dump. That means that all of the counters in the dump you sent are useless in trying to understand your problem. And without e), we have no clue what we are even looking for in the dump. Wilson -- THIS IS YOUR PROBLEM, NOT OURS. We can try to help you but it is YOUR boss that expect YOU to solve this problem. We can''t do it for you and we can''t help you at all if we don''t have the information we ask for. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- Yahoo! 網上安全攻略,教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Will Murnane
2007-Nov-26 07:22 UTC
Re: [Shorewall-users] 回覆: Re: 回覆: Re: 回覆: Re: Port 3001 still have problem
... and then described what connection you were trying to make, yes? That's another step in the process. On Nov 26, 2007 12:27 AM, Wilson Kwok <leiw324@yahoo.com.hk> wrote:> Sorry Tom, I sent the dump file to support again. > > Tom Eastep <teastep@shorewall.net> 說: > e) Describe where you are trying to make the connection from (IP address) > and what host (IP address) you are trying to connect to.------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, 2007-11-26 at 13:27 +0800, Wilson Kwok wrote:> Sorry Tom, I sent the dump file to support again.Wilson, Are you certain that the Video conferencing software that you are using is compatible with NAT? Is there English Language documentation about this software? In the dump, I see the following: Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 1 92 DNAT all -- * * 0.0.0.0/0 w.x.y.114 to:192.168.0.103 0 0 DNAT all -- * * 0.0.0.0/0 w.x.y.115 to:192.168.0.2 1 48 DNAT all -- * * 0.0.0.0/0 w.x.y.116 to:192.168.0.18 So one connection request to w.x.y.116 was made (Good). I also see: tcp 6 431993 ESTABLISHED src=p.q.r.79 dst=w.x.y.116 sport=1640 dport=3000 packets=119 bytes=6682 src=192.168.0.18 dst=p.q.r.79 sport=3000 dport=1640 packets=72 bytes=16950 [ASSURED] use=1 That means that your home system (p.q.r.79) has established a connection to the server (w.x.y.116) on port 3000. So the initial connection is being made and I don''t see any other failed connection attempts. So it may be the case that the server is inviting the client to open another connection on a dynamic port but because the server is NATed, it is inviting the client to connect to 192.168.0.18 (the server''s real IP). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Wilson Kwok
2007-Nov-26 16:44 UTC
回覆: Re: 回覆: Re: 回覆: Re: 回覆: Re: Port 3001 still have problem
Yes, I know that 3000 port can established, but the 3001 port still fail... , and I was tried another Linux opensource firewall that also no response .... Tom Eastep <teastep@shorewall.net> 說: On Mon, 2007-11-26 at 13:27 +0800, Wilson Kwok wrote:> Sorry Tom, I sent the dump file to support again.Wilson, Are you certain that the Video conferencing software that you are using is compatible with NAT? Is there English Language documentation about this software? In the dump, I see the following: Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 1 92 DNAT all -- * * 0.0.0.0/0 w.x.y.114 to:192.168.0.103 0 0 DNAT all -- * * 0.0.0.0/0 w.x.y.115 to:192.168.0.2 1 48 DNAT all -- * * 0.0.0.0/0 w.x.y.116 to:192.168.0.18 So one connection request to w.x.y.116 was made (Good). I also see: tcp 6 431993 ESTABLISHED src=p.q.r.79 dst=w.x.y.116 sport=1640 dport=3000 packets=119 bytes=6682 src=192.168.0.18 dst=p.q.r.79 sport=3000 dport=1640 packets=72 bytes=16950 [ASSURED] use=1 That means that your home system (p.q.r.79) has established a connection to the server (w.x.y.116) on port 3000. So the initial connection is being made and I don''t see any other failed connection attempts. So it may be the case that the server is inviting the client to open another connection on a dynamic port but because the server is NATed, it is inviting the client to connect to 192.168.0.18 (the server''s real IP). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- Yahoo! 網上安全攻略,教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2007-Nov-26 16:46 UTC
Re: 回覆: Re: 回覆: Re: 回覆: Re: 回覆: Re: Port 3001 still have problem
On Tue, 2007-11-27 at 00:44 +0800, Wilson Kwok wrote:> Yes, I know that 3000 port can established, but the 3001 port still > fail... , and > I was tried another Linux opensource firewall that also no > response ....Wilson, There is NO evidence that an attempt to connect to port 3001 is even being made! So I ask again -- DOES THIS SOFTWARE WORK WITH NAT? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Wilson Kwok
2007-Nov-26 23:31 UTC
回覆: Re: ?�?嚗?Re: ?�?嚗?Re: ?�?嚗?Re: ?�?嚗?Re: Port 3001 still have problem
>>DOES THIS SOFTWARE WORK WITH NAT?I will ask vendor at today. Tom Eastep <teastep@shorewall.net> 說: On Tue, 2007-11-27 at 00:44 +0800, Wilson Kwok wrote:> Yes, I know that 3000 port can established, but the 3001 port still > fail... , and > I was tried another Linux opensource firewall that also no > response ....Wilson, There is NO evidence that an attempt to connect to port 3001 is even being made! So I ask again -- DOES THIS SOFTWARE WORK WITH NAT? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- Yahoo! 網上安全攻略,教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2007-Nov-26 23:52 UTC
Re: 回覆: Re: ???嚗?Re: ???嚗?Re: ???嚗?Re: ???嚗?Re: Port 3001 still have problem
Wilson Kwok wrote:>>>DOES THIS SOFTWARE WORK WITH NAT?> I will ask vendor at today.Thanks -- and any documentation about how to make it work with NAT would be useful. Again -- I see no evidence that a second connection request is being sent from the client to the firewall. And a firewall can''t forward a connection that it doesn''t receive. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Wilson Kwok
2007-Nov-27 04:25 UTC
回覆: Re: 回覆: Re: ???嚗?Re: ???嚗?Re: ???��?Re: ???嚗?Re: Port 3001 still have problem
Tom, 1. I asked the vendor that they had setup this video conference software in others company was no problem with NATed. 2. Becuase the video conference software can use web-interface for client login , so server side required Windows IIS for it, the default port number is 8080 that was no problem access from my home, but changed to 3001 that cannot access web-interface from my home, even I changed a.b.c.105 to 3001 port was same problem, and I asked our ISP they said do not block any ports. I think something blocked 3001 port ... (I think no need ask them for document) Thx !!! Tom Eastep <teastep@shorewall.net> 說: Wilson Kwok wrote:>>>DOES THIS SOFTWARE WORK WITH NAT?> I will ask vendor at today.Thanks -- and any documentation about how to make it work with NAT would be useful. Again -- I see no evidence that a second connection request is being sent from the client to the firewall. And a firewall can''t forward a connection that it doesn''t receive. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users --------------------------------- Yahoo! 網上安全攻略,教你如何防範黑客! 了解更多 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep
2007-Nov-27 15:09 UTC
Re: 回覆: Re: 回覆: Re: ???嚗?Re: ???嚗?Re: ?????Re: ???嚗?Re: Port 3001 still have problem
Wilson Kwok wrote:> Tom, > > 1. I asked the vendor that they had setup this video conference software in > others company was no problem with NATed. > > 2. Becuase the video conference software can use web-interface for > client login , so server side required Windows IIS for it, the default > port number is 8080 that was no problem access from my home, but changed > to 3001 that cannot access web-interface from my home, even I changed > a.b.c.105 to 3001 port was same problem, and I asked our ISP they said > do not block any ports. > > I think something blocked 3001 port ... (I think no need ask them for > document)Okay, On your firewall: a) tcpdump -nvvi eth1 port 3001 b) try to connect What do you see from tcpdump? If you see packets from tcpdump, then repeat, specifying eth0 in the tcpdump command. What do you see there? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/