SETUP: I have a setup of Shorewall of three interface (eth0, eth1 and ent2) Net and Local DMZ I Have a setup Public DNS, mail server and webserver in DMZ, and squid in Firewall Machine(Shorewall) I have also Internal DNS server locally which resolves internal machines and forward requests to public dns server(in DMZ) if finds not record. PROBLEM: 1)External/internet/public users can access my webserver using www.mydomain.com WHILE The machine from Local zone can access my webserver using its IP Address but fail when using www.mydomain.com. (that done happen either you use proxy or not)--- pls kindly help NOTE: The machine with DMZ can access my webserver using www.mydomain.com (thats works if no proxy is in use) Thanks for help -- with rgds Marco Salimu IT Manager [ P.o. Box 1546] Mob: +255 784 370294 Mob: +255 715 370294 Tel: +255 27 8218 Fax: +255 27 8273 Email: ******************************* marco@seda.or.tz smarcos2001@yahoo.com smarcos2001@hotmail.com marco_salim@wvi.org Marco.magnus@gmail.com ******************************** ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Marco Salimu wrote:> SETUP: > I have a setup of Shorewall of three interface (eth0, eth1 and ent2) > Net and Local DMZ > > I Have a setup Public DNS, mail server and webserver in DMZ, and squid in > Firewall Machine(Shorewall) > > I have also Internal DNS server locally which resolves internal machines > and forward requests to public dns server(in DMZ) if finds not record. > > PROBLEM: > 1)External/internet/public users can access my webserver using > www.mydomain.com WHILE The machine from Local zone can access my webserver > using its IP Address but fail when using www.mydomain.com. (that done > happen either you use proxy or not)--- pls kindly help > > NOTE: > The machine with DMZ can access my webserver using www.mydomain.com (thats > works if no proxy is in use)We don''t really have enough information to diagnose this problem. But if your DMZ uses DNAT to forward requests from the net, you might find Shorewall FAQ 1d (http://www.shorewall.net/FAQ.htm#faq1d) helpful. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Hi Tom Eastep Hope you are doing Fine Pls help, if you want additional information ask me Thanks> Marco Salimu wrote: >> SETUP: >> I have a setup of Shorewall of three interface (eth0, eth1 and ent2) >> Net and Local DMZ >> >> I Have a setup Public DNS, mail server and webserver in DMZ, and squid >> in >> Firewall Machine(Shorewall) >> >> I have also Internal DNS server locally which resolves internal machines >> and forward requests to public dns server(in DMZ) if finds not record. >> >> PROBLEM: >> 1)External/internet/public users can access my webserver using >> www.mydomain.com WHILE The machine from Local zone can access my >> webserver >> using its IP Address but fail when using www.mydomain.com. (that done >> happen either you use proxy or not)--- pls kindly help >> >> NOTE: >> The machine with DMZ can access my webserver using www.mydomain.com >> (thats >> works if no proxy is in use) > > We don''t really have enough information to diagnose this problem. But if > your DMZ uses DNAT to forward requests from the net, you might find > Shorewall FAQ 1d (http://www.shorewall.net/FAQ.htm#faq1d) helpful. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >-- with rgds Marco Salimu IT Manager [ P.o. Box 1546] Mob: +255 784 370294 Mob: +255 715 370294 Tel: +255 27 8218 Fax: +255 27 8273 Email: ******************************* marco@seda.or.tz smarcos2001@yahoo.com smarcos2001@hotmail.com marco_salim@wvi.org Marco.magnus@gmail.com ******************************** ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Marco Salimu wrote:> Hi Tom Eastep > Hope you are doing Fine > > Pls help, if you want additional information ask me >http://www.shorewall.net/support.htm#Guidelines In addition to the output of ''shorewall dump'', we need to know the IP address(es) that www.mydomain.com resolves to on the machines that don''t have access. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Hello Tom
First of all find attached shorewall dump output
second the ip address(es) is 10.4.13.87 and my public address is
41.220.130.68.
New developments/Additional information:
When the i switch off squid/proxy server -- i can www.mydomain.com from
local. but when it is on i get the error message bellow
*************************************************************
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.seda.or.tz/
The following error was encountered:
* Connection to 41.220.130.68 Failed
The system returned:
(111) Connection refused
The remote host or network may be down. Please try the request again.
Your cache administrator is root.
Generated Sat, 10 Oct 2009 09:14:24 GMT by gate.seda.or.tz
(squid/2.6.STABLE21)
***********************************************************************
NOTE:
I have setup squid using "Shorewall_Squid_Usage" manual (squid is
running
in Firewall/Shorewall machine)
Thanks in advance
waiting from your help
Thanks
> Marco Salimu wrote:
>> Hi Tom Eastep
>> Hope you are doing Fine
>>
>> Pls help, if you want additional information ask me
>>
>
> http://www.shorewall.net/support.htm#Guidelines
>
> In addition to the output of ''shorewall dump'', we need to
know the IP
> address(es) that www.mydomain.com resolves to on the machines that
don''t
> have access.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
--
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Marco Salimu wrote:> Hello Tom > > First of all find attached shorewall dump output > second the ip address(es) is 10.4.13.87 and my public address is > 41.220.130.68. > > > New developments/Additional information: > When the i switch off squid/proxy server -- i can www.mydomain.com from > local. but when it is on i get the error message bellow > ************************************************************* > ERROR > The requested URL could not be retrieved > While trying to retrieve the URL: http://www.seda.or.tz/ > The following error was encountered: > * Connection to 41.220.130.68 Failed > The system returned: > (111) Connection refused > The remote host or network may be down. Please try the request again. > Your cache administrator is root. > Generated Sat, 10 Oct 2009 09:14:24 GMT by gate.seda.or.tz > (squid/2.6.STABLE21) > *********************************************************************** > > NOTE: > I have setup squid using "Shorewall_Squid_Usage" manual (squid is running > in Firewall/Shorewall machine)There are no REDIRECT rules in the dump you sent. So I assume that the dump does not represent the configuration that fails? If that is the case, I suggest that when you re-add the REDIRECT rule, you re-add it as follows: REDIRECT loc 3128 tcp 80 - !41.220.130.68,10.4.13.87 That will allow HTTP requests to your DMZ''s web server to bypass Squid (note that this approach is recommended in the "Shorewall_Squid_Usage" article). One other point -- you have installed Shorewall-perl but are apparently not using it. Any particular reason? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference