Hi guys I have a problem so i hope this list can help me. I have one public IP 200.119.222.122 (Shorewall) and a DMZ 10.0.1.100/24 (zimbra mail is running there) the problem is one service in dmz:10.0.1.100 is trying to connect fw:200.119.222.122 port 7025 because the service "thinks" it is the same machine and shorewall rejects the connection. How can I make the shorewall forward to the same machine 10.0.0.100 when tried to establish the port 7025. I tried different rules like: REDIRECT $FW:10.0.1.100 tcp 7025 - 200.119.222.122 or DNAT dmz dmz:10.0.1.100:7025 tcp 7025 without success This is my configuration /etc/shorewall/zones fw firewall net ipv4 loc ipv4 dmz ipv4 /etc/shorewall/interfaces net eth0 detect routefilter,norfc1918 loc eth1 detect dmz eth2 detect /etc/shorewall/masq eth0 eth1 eth0 eth2 /etc/shorewall/policy loc net ACCEPT loc dmz ACCEPT dmz loc REJECT ULOG dmz net REJECT ULOG net all DROP ULOG fw net ACCEPT all all REJECT ULOG Any help would be greatly appreciated. Thanks ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Mon, Apr 07, 2008 at 04:26:48PM -0400, Fabricio Vargas wrote:> Hi guys > > I have a problem so i hope this list can help me. > > I have one public IP 200.119.222.122 (Shorewall) > and a DMZ 10.0.1.100/24 (zimbra mail is running there) > > the problem is one service in dmz:10.0.1.100 is trying to connect > fw:200.119.222.122 port 7025 because the service "thinks" it is the same > machine and shorewall rejects the connection. > How can I make the shorewall forward to the same machine 10.0.0.100 when > tried to establish the port 7025. I tried different rules like: > > REDIRECT $FW:10.0.1.100 tcp 7025 - 200.119.222.122 > or > DNAT dmz dmz:10.0.1.100:7025 tcp 7025 > > without success >Fabricio, your problem is covered in Shorewall FAQ #2 [0]. Tom (the author of Shorewall) recommends the following: The accessibility problem is best solved using Bind Version 9 “views” (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5 internally. That''s what I do here at shorewall.net for my local systems that use one-to-one NAT. Now, if you decide that you don''t want to do that, then you can follow the instructions for FAQ 2 for a different solution. Regards, -Roberto [0] http://www.shorewall.net/FAQ.htm#faq2 -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Mon, Apr 07, 2008 at 04:54:01PM -0400, Roberto C. S?nchez wrote:> Now, if you decide that you don''t want to do that, then you can follow > the instructions for FAQ 2 for a different solution.I was thinking FAQ 1d... and then I look more closely, and 1d and 2b appear to be duplicates (except both have a comment or two that the other lacks). Weird. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Andrew Suffield wrote:> On Mon, Apr 07, 2008 at 04:54:01PM -0400, Roberto C. S?nchez wrote: >> Now, if you decide that you don''t want to do that, then you can follow >> the instructions for FAQ 2 for a different solution. > > I was thinking FAQ 1d... and then I look more closely, and 1d and 2b > appear to be duplicates (except both have a comment or two that the > other lacks). Weird.I cloned one from the other some time back when people were having problems finding the original. It appears that they may have diverged over time (classical problem with cloning). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> Andrew Suffield wrote: >> I was thinking FAQ 1d... and then I look more closely, and 1d and 2b >> appear to be duplicates (except both have a comment or two that the >> other lacks). Weird. > > I cloned one from the other some time back when people were having > problems finding the original. It appears that they may have diverged > over time (classical problem with cloning).FAQ 1d now links to 2b; no duplication. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
My 2 cents, If your problem can''t be solved with DNS and you really need it you can: 1 - put ''routeback'' on interfaces to your dmz 2 - put a rule like (see the last parameter): DNAT dmz dmz:10.0.1.100 tcp 7025 - 200.119.222.122 Fabricio Vargas wrote:> Hi guys > > I have a problem so i hope this list can help me. > > I have one public IP 200.119.222.122 (Shorewall) > and a DMZ 10.0.1.100/24 (zimbra mail is running there) > > the problem is one service in dmz:10.0.1.100 is trying to connect > fw:200.119.222.122 port 7025 because the service "thinks" it is the same > machine and shorewall rejects the connection. > How can I make the shorewall forward to the same machine 10.0.0.100 when > tried to establish the port 7025. I tried different rules like: > > REDIRECT $FW:10.0.1.100 tcp 7025 - 200.119.222.122 > or > DNAT dmz dmz:10.0.1.100:7025 tcp 7025 > > without success > > This is my configuration > > /etc/shorewall/zones > > fw > firewall > net > ipv4 > > loc > ipv4 > > dmz ipv4 > > /etc/shorewall/interfaces > net eth0 detect > routefilter,norfc1918 > loc eth1 > detect > dmz eth2 detect > > /etc/shorewall/masq > eth0 > eth1 > eth0 eth2 > > /etc/shorewall/policy > loc net > ACCEPT > loc dmz > ACCEPT > dmz loc REJECT > ULOG > dmz net REJECT > ULOG > net all DROP > ULOG > fw net > ACCEPT > all all REJECT ULOG > > > Any help would be greatly appreciated. > > Thanks > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Register now and save $200. Hurry, offer ends at 11:59 p.m., > Monday, April 7! Use priority code J8TLD2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Thanks to everybody El mar, 08-04-2008 a las 09:04 -0300, Christian V R Lopes escribió:> My 2 cents, > > If your problem can't be solved with DNS and you really need it you can: > 1 - put 'routeback' on interfaces to your dmz > 2 - put a rule like (see the last parameter): > DNAT dmz dmz:10.0.1.100 tcp 7025 - 200.119.222.122 > > > > Fabricio Vargas wrote: > > Hi guys > > > > I have a problem so i hope this list can help me. > > > > I have one public IP 200.119.222.122 (Shorewall) > > and a DMZ 10.0.1.100/24 (zimbra mail is running there) > > > > the problem is one service in dmz:10.0.1.100 is trying to connect > > fw:200.119.222.122 port 7025 because the service "thinks" it is the same > > machine and shorewall rejects the connection. > > How can I make the shorewall forward to the same machine 10.0.0.100 when > > tried to establish the port 7025. I tried different rules like: > > > > REDIRECT $FW:10.0.1.100 tcp 7025 - 200.119.222.122 > > or > > DNAT dmz dmz:10.0.1.100:7025 tcp 7025 > > > > without success > > > > This is my configuration > > > > /etc/shorewall/zones > > > > fw > > firewall > > net > > ipv4 > > > > loc > > ipv4 > > > > dmz ipv4 > > > > /etc/shorewall/interfaces > > net eth0 detect > > routefilter,norfc1918 > > loc eth1 > > detect > > dmz eth2 detect > > > > /etc/shorewall/masq > > eth0 > > eth1 > > eth0 eth2 > > > > /etc/shorewall/policy > > loc net > > ACCEPT > > loc dmz > > ACCEPT > > dmz loc REJECT > > ULOG > > dmz net REJECT > > ULOG > > net all DROP > > ULOG > > fw net > > ACCEPT > > all all REJECT ULOG > > > > > > Any help would be greatly appreciated. > > > > Thanks > > > > > > ------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Register now and save $200. Hurry, offer ends at 11:59 p.m., > > Monday, April 7! Use priority code J8TLD2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Register now and save $200. Hurry, offer ends at 11:59 p.m., Monday, April 7! Use priority code J8TLD2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users