Greetings all, I switched our firewall from a script I maintained to Shorewall. (Version is 3.2.6 - was what was available the easy way with Debian) Everything is fine except for traffic to one site that is behind the firewall, and not from the outside. The firewall has 5 addresses, 3 occupy websites (2 of which are SSL enabled) and they run on that machine. (eth0, :1, :2, etc on the internet side and eth1 is 10.1.1.2 on the lan side) We just added another machine, but it''s running on a W2K3 Server that is behind the firewall on the local network @ 10.1.1.3 To complicate matters slightly there is also a Squid server on the same machine. (This server and firewall will be split up but not for some time yet) From outside of the network I can access the site running on 70.61.215.101 that DNATs to 10.1.1.3 From inside of the network it does forward the traffic to 70.61.215.101, but it does not further relay that to 10.1.1.3 I can have the locally running Apache service listen on that address and it answers requests from the inside, but it normally does not listen on that address. The site is running a product called Moveit and it uses SSL, so there would be a nag screen when the certificates are installed if we access it by it''s internal IP - which I am trying to avoid. Is it possible to further route this traffic, avoiding the proxy server and mangling this up too bad? I have attached the output of ''shorewall dump'' to this message. Thanks everyone. *** * ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Mark Rutherford wrote:> From outside of the network I can access the site running on > 70.61.215.101 that DNATs to 10.1.1.3 > From inside of the network it does forward the traffic to > 70.61.215.101, but it does not further relay that to 10.1.1.3 > I can have the locally running Apache service listen on that address and > it answers requests from the inside, but it normally does not listen on > that address. > The site is running a product called Moveit and it uses SSL, so there > would be a nag screen when the certificates are installed > if we access it by it''s internal IP - which I am trying to avoid.This is Shorewall FAQ 2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Mark Rutherford wrote:>The site is running a product called Moveit and it uses SSL, so >there would be a nag screen when the certificates are installed >if we access it by it''s internal IP - which I am trying to avoid.As Tom says, it''s in the FAQs. But, if you set up split DNS then you can work around this very easily. You just need a DNS server internally that is used by the internal clients which resolves the FQDN of the server to the internal IP - then your certificate (which I assume is done by domain name) will work fine. It''s not hard to set up, and works transparently - ie both internal and external users can access the server at the same URL. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Doh! Missed it.... must have had a senior moment. I apologize. I got the squid example from one of the FAQs and it worked great. The real answer to this (at least for me) was to have this outside of the firewall sitting by it''s lonesome but someone else wanted it this way. I can take the horse to the water, I can''t make him drink it. I will try the DNS workaround and see what that gets me. I never thought of that either, another senior moment :( Thanks a lot guys, your lifesavers. Tom Eastep wrote:> Mark Rutherford wrote: > >> From outside of the network I can access the site running on >> 70.61.215.101 that DNATs to 10.1.1.3 >> From inside of the network it does forward the traffic to >> 70.61.215.101, but it does not further relay that to 10.1.1.3 >> I can have the locally running Apache service listen on that address >> and it answers requests from the inside, but it normally does not >> listen on that address. >> The site is running a product called Moveit and it uses SSL, so there >> would be a nag screen when the certificates are installed >> if we access it by it''s internal IP - which I am trying to avoid. > > This is Shorewall FAQ 2. > > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > __________ NOD32 3054 (20080425) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > __________ NOD32 3054 (20080425) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Thu, Apr 24, 2008 at 11:51:44PM -0400, Mark Rutherford wrote:> Greetings all, > > I switched our firewall from a script I maintained to Shorewall. > (Version is 3.2.6 - was what was available the easy way with Debian) > Everything is fine except for traffic to one site that is behind the > firewall, and not from the outside. >I maintain packages for Etch here: http://people.connexer.com/~roberto/debian/ They are always the most up to date. Or, you can grab the Sid packages and install them with ''dpkg -i *.deb'' since they don''t have any dependencies that can''t be satisfied in Etch. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone