Shorewall users - Feb 2008 - from LAN through local eth1 to public eth0 and back to LAN through local eth1

Hey there,

I am trying to do as described in the subject. I am using 3.0.8

I think it''s a known problem but I cannot find anything on
shorewall.net

I have two MX in LAN. Both are connecting through shorewalls local eth1 to
the internet. I am for sure that you know from now on what it is about. 

When MX01 (with local source) tries to connect to MX02 (to the public ip)
the traffic will end at eth1 (local port). Nothing arrives when I do tcpdump
or else on eth0 (public port).

I have tried to use subnet in masq like "eth0 eth1:mx02" and in
addition I
have tried to do "eth0 ip-of-mx02". Nothing seems to be working for my
needs.

I am for sure that the great shorewall has a good solution to handle but I
do not find it. Ok, I can make life easier and install an additional NIC,
but I am very interested if there is a solution or if not. 

Is there anybody out there who can help with that issue?

Thanks a lot. 


Cheers
Michael





-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Michael Weickel - iQom Business wrote:
> 
> Is there anybody out there who can help with that issue?
> 
This is Shorewall FAQ 2 -- only on port 25 rather than port 80.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Michael Weickel - iQom Business wrote:
> 
>>
>> Is there anybody out there who can help with that issue?
>>
> 
> This is Shorewall FAQ 2 -- only on port 25 rather than port 80.
That having been said, a simple solution would be to add an entry in 
/etc/hosts on each MX mapping the other MX name to it''s LOCAL IP
address.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Great! It works. /etc/hosts is no solution due to the fact that MX will
first have a look in DNS. But initiated from local that is a really good
hint but it feels a little bit dirty :-)

I have done it with shorewall and it is temporary a good solution. After all
I will install a separated DMZ NIC to be sure with everything.

Again thousand thanks for answering so fast. 


Cheers
Michael 
 

-----Ursprüngliche Nachricht-----
Von: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag von Tom
Eastep
Gesendet: Donnerstag, 28. Februar 2008 02:24
An: Shorewall Users
Betreff: Re: [Shorewall-users] from LAN through local eth1 to public eth0
and back to LAN through local eth1

Tom Eastep wrote:
> Michael Weickel - iQom Business wrote:
> 
>>
>> Is there anybody out there who can help with that issue?
>>
> 
> This is Shorewall FAQ 2 -- only on port 25 rather than port 80.
That having been said, a simple solution would be to add an entry in 
/etc/hosts on each MX mapping the other MX name to it''s LOCAL IP
address.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Michael Weickel - iQom Business wrote:
> Great! It works. /etc/hosts is no solution due to the fact that MX will
> first have a look in DNS. 
That''s under your control -- see /etc/nsswitch.conf

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

> Michael Weickel - iQom Business wrote:
>> Great! It works. /etc/hosts is no solution due to the fact that MX will
>> first have a look in DNS.
>
> That''s under your control -- see /etc/nsswitch.conf
That''s true for most services but there are exceptions like the postfix
MTA which has it''s own way of doing name resolution which by default
doesn''t care about any system configuration. For postfix to use the
system
configuration one has to do ''disable_dns_lookups = yes'' which
means it can
still use DNS that way but will do it through the systems resolver.

Simon


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/