I am having a problem getting DNAT to work! i have a wide open firewall(oxymoron?) with 2 zones. all zones are set to ACCEPT! i have rule: Telnet/DNAT:info net loc:10.223.8.10 which *starts* to work but never does the forward. here is the result from the log: Mar 11 16:33:52 mail kernel: [21357.980000] Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=00:e0:81:75:54:8f:00:0b:46:e0:b6:31:08:00 SRC=*hidden_ip* DST=*hidden_ip* LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=21161 DF PROTO=TCP SPT=13701 DPT=23 WINDOW=8192 RES=0x00 SYN URGP=0 it says DNAT, has my source IP and the internet IP of the server. I am connection from a seperate internet connection. my goal is that i will change the ''net'' to ''net:remote_ip'' so that telnet will only be accepted from that one IP address. I would also like to DNAT ssh to various machines by different incoming ports BUT i can''t even get this NAT to work. ubuntu 7.10. i have set ''IP_FORWARDING=On'' in shorewall.conf, it was originally at "IP_FORWARDING=Keep" any help would be awesome. thanks ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
dan wrote:> > any help would be awesome. thanksPlease follow the troubleshooting steps in Shorewall FAQs 1a and 1b. -Tom PS Are you *sure* that you want to use telnet across the internet? It''s a very silly thing to do from a security point of view which is why SSH was invented. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom, I did go through the FAQs 1a and 1b but will try again, maybe a nights sleep will improve me view. Unfortunately my software vendor for some old software on an alpha server can only use telnet and ftp to do updates and maintenance on my ancient software system. I protested a great deal about having open telnet access but they gave me an ultimatum of "give us access the way we want" or "we wont support your old software and your on your own with our proprietary poorly designed junk". I may have taken some liberties on quoting their response :) I will at least limit the DNAT to their IP address as the source. I was thinking of putting some kind of ssh/terminal emulator in a browser but i need VT400 emulation which I can''t find in a java terminal emulator. The vendor is afraid of putty for some reason :( and wont use a VPN to get to me :( On Tue, Mar 11, 2008 at 4:53 PM, Tom Eastep <teastep@shorewall.net> wrote:> dan wrote: > > > > > any help would be awesome. thanks > > Please follow the troubleshooting steps in Shorewall FAQs 1a and 1b. > > -Tom > > PS Are you *sure* that you want to use telnet across the internet? It''s a > very silly thing to do from a security point of view which is why SSH was > invented. > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
more info Tom: again, I went through that part of the FAQ. I noticed that my OUT= in the logs is blank. shouldnt that be my interface for ''loc'' since the route is set for a destination of loc:10.223.8.10 ? here:> Shorewall:net2fw:DROP:IN=eth1 *OUT=* MAC=00:e0:81:75:54:8f:00 >here is my interfaces: #ZONE INTERFACE BROADCAST OPTIONS> loc eth0 auto routeback > net eth1 auto > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >and my rules: SECTION NEW> Telnet/DNAT:info net loc:10.223.8.10 > FTP/DNAT:info net loc:10.223.8.10 > DROP:info net all tcp 3128 > DROP:info net all udp 3128 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >and my policy: fw loc ACCEPT> fw net ACCEPT > loc fw ACCEPT > loc net ACCEPT > net loc ACCEPT > net fw ACCEPT > #LAST LINE -- DO NOT REMOVE >i know, policy is not an acceptable default but i didnt want the REJECT on net -> fw and net -> loc to get in the way during my trouble shooting. On Wed, Mar 12, 2008 at 7:57 AM, dan <dandenson@gmail.com> wrote:> Tom, I did go through the FAQs 1a and 1b but will try again, maybe a > nights sleep will improve me view. > > Unfortunately my software vendor for some old software on an alpha server > can only use telnet and ftp to do updates and maintenance on my ancient > software system. I protested a great deal about having open telnet access > but they gave me an ultimatum of "give us access the way we want" or "we > wont support your old software and your on your own with our proprietary > poorly designed junk". I may have taken some liberties on quoting their > response :) > > I will at least limit the DNAT to their IP address as the source. I was > thinking of putting some kind of ssh/terminal emulator in a browser but i > need VT400 emulation which I can''t find in a java terminal emulator. The > vendor is afraid of putty for some reason :( and wont use a VPN to get to me > :( > > On Tue, Mar 11, 2008 at 4:53 PM, Tom Eastep <teastep@shorewall.net> wrote: > > > dan wrote: > > > > > > > > any help would be awesome. thanks > > > > Please follow the troubleshooting steps in Shorewall FAQs 1a and 1b. > > > > -Tom > > > > PS Are you *sure* that you want to use telnet across the internet? It''s > > a > > very silly thing to do from a security point of view which is why SSH > > was > > invented. > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
more info. when i start shorwall, i see this:> Determining Hosts in Zones... > loc Zone: eth0:0.0.0.0/0 > net Zone: eth1:0.0.0.0/0 >is that an issue? my loc is a private network 10.223.8.0. shouldn''t the loc Zone: have eth0:10.223.8.0/23? the net Zone: should have 0.0.0.0/0right? what also stands out is that in the messages list where it says MAC= i get MAC=00:e0:81:75:54:8f:00:0b:46:e0:b6:31:08:00 and as i understand it, first 6 or ''first destination'' and the second 6 octets are the ''NATed destination'' problem is that the second 6 octets are to an ip address on my "net" interface. so says arp. ?!? my rule clearly says from=net to=loc:10.223.8.10, why would this try to go out the net interface? unless my interfaces are not setup right.. i have tried putting the broadcast address in for the network interfaces from ifconfig, i have tried putting ''detect'' in, still the same result. no OUT= and a destination in MAC= that is on the wrong interface. thanks for any help. On Wed, Mar 12, 2008 at 8:18 AM, dan <dandenson@gmail.com> wrote:> more info > > Tom: again, I went through that part of the FAQ. I noticed that my OUT> in the logs is blank. shouldnt that be my interface for ''loc'' since the > route is set for a destination of loc:10.223.8.10 ? > here: > > > Shorewall:net2fw:DROP:IN=eth1 *OUT=* MAC=00:e0:81:75:54:8f:00 > > > > here is my interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > > loc eth0 auto routeback > > net eth1 auto > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > and my rules: > > SECTION NEW > > Telnet/DNAT:info net loc:10.223.8.10 > > FTP/DNAT:info net loc:10.223.8.10 > > DROP:info net all tcp 3128 > > DROP:info net all udp 3128 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > and my policy: > > fw loc ACCEPT > > fw net ACCEPT > > loc fw ACCEPT > > loc net ACCEPT > > net loc ACCEPT > > net fw ACCEPT > > #LAST LINE -- DO NOT REMOVE > > > i know, policy is not an acceptable default but i didnt want the REJECT on > net -> fw and net -> loc to get in the way during my trouble shooting. > > > > On Wed, Mar 12, 2008 at 7:57 AM, dan <dandenson@gmail.com> wrote: > > > Tom, I did go through the FAQs 1a and 1b but will try again, maybe a > > nights sleep will improve me view. > > > > Unfortunately my software vendor for some old software on an alpha > > server can only use telnet and ftp to do updates and maintenance on my > > ancient software system. I protested a great deal about having open telnet > > access but they gave me an ultimatum of "give us access the way we want" or > > "we wont support your old software and your on your own with our proprietary > > poorly designed junk". I may have taken some liberties on quoting their > > response :) > > > > I will at least limit the DNAT to their IP address as the source. I was > > thinking of putting some kind of ssh/terminal emulator in a browser but i > > need VT400 emulation which I can''t find in a java terminal emulator. The > > vendor is afraid of putty for some reason :( and wont use a VPN to get to me > > :( > > > > On Tue, Mar 11, 2008 at 4:53 PM, Tom Eastep <teastep@shorewall.net> > > wrote: > > > > > dan wrote: > > > > > > > > > > > any help would be awesome. thanks > > > > > > Please follow the troubleshooting steps in Shorewall FAQs 1a and 1b. > > > > > > -Tom > > > > > > PS Are you *sure* that you want to use telnet across the internet? > > > It''s a > > > very silly thing to do from a security point of view which is why SSH > > > was > > > invented. > > > -- > > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > > Shoreline, \ http://shorewall.net > > > Washington USA \ teastep@shorewall.net > > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
dan wrote:> more info > > Tom: again, I went through that part of the FAQ. I noticed that my > OUT= in the logs is blank. shouldnt that be my interface for ''loc'' > since the route is set for a destination of loc:10.223.8.10? > here: > > Shorewall:net2fw:DROP:IN=eth1 _/*OUT=*/_ MAC=00:e0:81:75:54:8f:00Without any context, I can''t answer your question. But that request came from the net and was destined for an IP address on your firewall. Therefore, OUT is empty. If that message includes "DST=10.223.8.10", then your DNAT rule has the wrong server IP address in the DEST column.> > > here is my interfaces:From http://www.shorewall.net/support.htm#Guidelines: Please do not include Shorewall configuration files unless you have been specifically asked to do so. The output of *shorewall dump* collected as described above is much more useful.> > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 auto routeback > net eth1 auto > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > and my rules: > > SECTION NEW > Telnet/DNAT:info net loc:10.223.8.10 > FTP/DNAT:info net loc:10.223.8.10 > DROP:info net all tcp 3128 > DROP:info net all udp 3128 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >The above assumes that the IP address of the ALPHA is 10.223.8.10 and that it is connected through eth0. It also assumes that the ALPHA''s default gateway is configured with the IP address of eth0.> > and my policy: > > fw loc ACCEPT > fw net ACCEPT > loc fw ACCEPT > loc net ACCEPT > net loc ACCEPT > net fw ACCEPT > #LAST LINE -- DO NOT REMOVE > > i know, policy is not an acceptable default but i didnt want the REJECT > on net -> fw and net -> loc to get in the way during my trouble shooting.From http://www.shorewall.net/troubleshoot.htm: I also recommend against setting all of your policies to ACCEPT in an effort to make something work. That robs you of one of your best diagnostic tools - the “Shorewall” messages that Netfilter will generate when you try to connect in a way that isn''t permitted by your rule set. If the above doesn''t help, then please: a) Set up your system the way that you believe it should be. No logging of ACCEPT and with the appropriate policies. b) Try to connect from the net using telnet. c) "shorewall dump" > dump.txt Send the dump.txt as an attachment to support@shorewall.net. Include: a) The IP address of the system that you tried to connect from. b) The IP address that you tried to connect to (don''t use DNS names). c) Describe what happened (connection refused? timeout? firewall exploded in flames? Other?). Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
dan wrote:> more info. > when i start shorwall, i see this: > > Determining Hosts in Zones... > loc Zone: eth0:0.0.0.0/0 <http://0.0.0.0/0> > net Zone: eth1:0.0.0.0/0 <http://0.0.0.0/0>Would you please post in plain text? HTML is for web pages; email should be plain text. Your mailer has a particularly annoying habit of trying to make HTML links out of everything that it thinks is an IP address; extremely annoying. I edited them out of my last response but I''m leaving them in here so you too can enjoy them.> > is that an issue? my loc is a private network 10.223.8.0 > <http://10.223.8.0>. shouldn''t the loc Zone: have eth0:10.223.8.0/23 > <http://10.223.8.0/23>? the net Zone: should have 0.0.0.0/0 > <http://0.0.0.0/0> right?This is Shorewall FAQ 9.> > what also stands out is that in the messages list where it says MAC= i get > > MAC=00:e0:81:75:54:8f:00:0b:46:e0:b6:31:08:00 > and as i understand it, first 6 or ''first destination'' and the second 6 > octets are the ''NATed destination'' problem is that the second 6 octets > are to an ip address on my "net" interface. so says arp. ?!? my rule > clearly says from=net to=loc:10.223.8.10 <http://10.223.8.10>, why would > this try to go out the net interface?What you are seeing is the Ethernet header from the INCOMING request. See Shorewall FAQ 6d. unless my interfaces are not> setup right.. i have tried putting the broadcast address in for the > network interfaces from ifconfig, i have tried putting ''detect'' in, > still the same result. no OUT= and a destination in MAC= that is on the > wrong interface. >As I explained in my last message, that is an INCOMING request whose destination IP address is that of the firewall. If you think it should have been forwarded to an internal system then your DNAT rule isn''t matching what is actually coming in; or, as I mentioned in my earlier post, the server address 10.223.8.10 is wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
ok, my setup is slightly different. per this statement here: "The above assumes that the IP address of the ALPHA is 10.223.8.10 and that it is connected through eth0. It also assumes that the ALPHA''s default gateway is configured with the IP address of eth0." the alpha is definitely on the loc interface with the ip 10.223.8.10 BUT it does *not* have a default gateway of this machine. it has a default gateway to another router connected to a private wan. as a side note, the eth0 interface has ip 10.223.8.7. this machine does not act as a gateway to the network. it is an email server BUT it is the only device that has an internet accessable IP address(as the private network filters email), all others go through a private wan to connect which is controlled by people outside of my department so i must route incoming connections through this device including the alpha in question BUT it is not the internet gateway. would that really matter though? it doesnt look like the shorewall server is ever even trying to connect to the private network. On Wed, Mar 12, 2008 at 9:21 AM, Tom Eastep <teastep@shorewall.net> wrote:> dan wrote: > > more info. > > when i start shorwall, i see this: > > > > Determining Hosts in Zones... > > loc Zone: eth0:0.0.0.0/0 <http://0.0.0.0/0> > > net Zone: eth1:0.0.0.0/0 <http://0.0.0.0/0> > > Would you please post in plain text? HTML is for web pages; email should > be > plain text. Your mailer has a particularly annoying habit of trying to > make > HTML links out of everything that it thinks is an IP address; extremely > annoying. I edited them out of my last response but I''m leaving them in > here > so you too can enjoy them. > > > > > is that an issue? my loc is a private network 10.223.8.0 > > <http://10.223.8.0>. shouldn''t the loc Zone: have eth0:10.223.8.0/23 > > <http://10.223.8.0/23>? the net Zone: should have 0.0.0.0/0 > > <http://0.0.0.0/0> right? > > This is Shorewall FAQ 9. > > > > what also stands out is that in the messages list where it says MAC= i > get > > > > MAC=00:e0:81:75:54:8f:00:0b:46:e0:b6:31:08:00 > > and as i understand it, first 6 or ''first destination'' and the second 6 > > octets are the ''NATed destination'' problem is that the second 6 octets > > are to an ip address on my "net" interface. so says arp. ?!? my rule > > clearly says from=net to=loc:10.223.8.10 <http://10.223.8.10>, why would > > this try to go out the net interface? > > What you are seeing is the Ethernet header from the INCOMING request. See > Shorewall FAQ 6d. > > unless my interfaces are not > > setup right.. i have tried putting the broadcast address in for the > > network interfaces from ifconfig, i have tried putting ''detect'' in, > > still the same result. no OUT= and a destination in MAC= that is on the > > wrong interface. > > > > As I explained in my last message, that is an INCOMING request whose > destination IP address is that of the firewall. If you think it should > have > been forwarded to an internal system then your DNAT rule isn''t matching > what > is actually coming in; or, as I mentioned in my earlier post, the server > address 10.223.8.10 is wrong. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
dan wrote:> ok, my setup is slightly different. per this statement here: > "The above assumes that the IP address of the ALPHA is 10.223.8.10 > <http://10.223.8.10/> and > that it is connected through eth0. It also assumes that the ALPHA''s > default gateway is configured with the IP address of eth0." > > the alpha is definitely on the loc interface with the ip 10.223.8.10 > <http://10.223.8.10> BUT it does *not* have a default gateway of this > machine. it has a default gateway to another router connected to a > private wan.So you have just been ignoring this part of the response to Shorewall FAQ: You have a more basic problem with your local system (the one that you are trying to forward to) such as an incorrect default gateway (it should be set to the IP address of your firewall''s internal interface). I''m afraid I''ve spent all of the time that I can afford on this issue this morning; time to get to my real job. But IT DOES MATTER that the response packets are going out through another router and it won''t work unless you add an SNAT hack on the Shorewall box. Although, it looks like you have another problem too but I won''t know what that is until you follow my instructions for gathering documentation that I send previously. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> dan wrote: >> ok, my setup is slightly different. per this statement here: >> "The above assumes that the IP address of the ALPHA is 10.223.8.10 >> <http://10.223.8.10/> and >> that it is connected through eth0. It also assumes that the ALPHA''s >> default gateway is configured with the IP address of eth0." >> >> the alpha is definitely on the loc interface with the ip 10.223.8.10 >> <http://10.223.8.10> BUT it does *not* have a default gateway of this >> machine. it has a default gateway to another router connected to a >> private wan. > > So you have just been ignoring this part of the response to Shorewall FAQ: >That''s FAQ 1a. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Tom Eastep wrote: >> dan wrote: >>> ok, my setup is slightly different. per this statement here: >>> "The above assumes that the IP address of the ALPHA is 10.223.8.10 >>> <http://10.223.8.10/> and >>> that it is connected through eth0. It also assumes that the ALPHA''s >>> default gateway is configured with the IP address of eth0." >>> >>> the alpha is definitely on the loc interface with the ip 10.223.8.10 >>> <http://10.223.8.10> BUT it does *not* have a default gateway of this >>> machine. it has a default gateway to another router connected to a >>> private wan. >> >> So you have just been ignoring this part of the response to Shorewall >> FAQ: >> > > That''s FAQ 1a. >Dan, Please see http://www1.shorewall.net/FAQ.htm#faq1f It explains why the default gateway on the server matters and how you can work around the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thank you very much Tom, I did not think that the connection was even getting forwarded to the alpha. problem is solved. thank you very much Tom Eastep wrote:> Tom Eastep wrote: >> Tom Eastep wrote: >>> dan wrote: >>>> ok, my setup is slightly different. per this statement here: >>>> "The above assumes that the IP address of the ALPHA is 10.223.8.10 >>>> <http://10.223.8.10/> and >>>> that it is connected through eth0. It also assumes that the ALPHA''s >>>> default gateway is configured with the IP address of eth0." >>>> >>>> the alpha is definitely on the loc interface with the ip 10.223.8.10 >>>> <http://10.223.8.10> BUT it does *not* have a default gateway of this >>>> machine. it has a default gateway to another router connected to a >>>> private wan. >>> >>> So you have just been ignoring this part of the response to >>> Shorewall FAQ: >>> >> >> That''s FAQ 1a. >> > > Dan, > > Please see http://www1.shorewall.net/FAQ.htm#faq1f > > It explains why the default gateway on the server matters and how you > can work around the problem. > > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/