Linux HA cluster, external address 87.237.68.169, which forwards incoming HTTP requests to one of two real servers (same problem on both). This example is real server 10.0.0.22. HTTP requests received by this server in this way are being rejected with INPUT:REJECT. Source of HTTP request was 87.243.200.155. Shorewall dump attached; grateful for any help. Apologies if I''ve done something stupid. Keith ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Keith Edmunds wrote:> Linux HA cluster, external address 87.237.68.169, which forwards incoming > HTTP requests to one of two real servers (same problem on both). This > example is real server 10.0.0.22. HTTP requests received by this server in > this way are being rejected with INPUT:REJECT. Source of HTTP request was > 87.243.200.155. > > Shorewall dump attached; grateful for any help. Apologies if I''ve done > something stupid.Please either send us a copy of the log messages you are seeing or set LOGFILE correctly and get us another dump that includes those log messages. Without the log messages, the dump is useless. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
> Please either send us a copy of the log messagesApologies, I hadn''t realised that LOGFILE was set incorrectly. Here''s an example entry: Jan 15 16:45:10 web2 kernel: Shorewall:INPUT:REJECT:IN=bond0 OUTMAC=00:30:48:67:2a:3e:00:30:48:67:25:44:08:00 SRC=87.243.200.155 DST=10.0.0.22 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=1565 DF PROTO=TCP SPT=45228 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Keith Edmunds wrote:>> Please either send us a copy of the log messages > > Apologies, I hadn''t realised that LOGFILE was set incorrectly. Here''s > an example entry: > > Jan 15 16:45:10 web2 kernel: Shorewall:INPUT:REJECT:IN=bond0 OUT> MAC=00:30:48:67:2a:3e:00:30:48:67:25:44:08:00 SRC=87.243.200.155 > DST=10.0.0.22 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=1565 DF PROTO=TCP > SPT=45228 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0This packet arrived on bond0 with a source IP address of 87.243.200.155. bond0 is associated with the ''loc'' zone but only for IP addresses 10.0.0.0/24. So this packet came into the firewall on bond0 but was not from the loc zone. Since ''loc'' is the only zone defined on bond0, the packet fell out of the bond0_in chain and was dropped in the INPUT chain. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Thanks, that information has enabled me to fix the problem. May I make a suggestion? I took care to follow the procedure at section 3 of the "Shorewall Support Guide", but still failed to provide the all the information requested. I suggest that the first step under section 3 be "Ensure that LOGFILE is correctly defined in /etc/shorewall/shorewall.conf". Thanks for the help, Keith ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Keith Edmunds wrote:> May I make a suggestion? I took care to follow the procedure at section 3 > of the "Shorewall Support Guide", but still failed to provide the all the > information requested. I suggest that the first step under section 3 be > "Ensure that LOGFILE is correctly defined > in /etc/shorewall/shorewall.conf".Done. Thanks ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword