Shorewall users - Nov 2009 - REF: browsing mydomain.or.tz from local to DMZ

problem :
 i cant browse to mydomain.or.tz from local network
 but i can browse mydomain.or.tz from external ( other place )

 The following error was encountered:

    * Connection to 41.220.130.82(external interface) Failed

 The system returned:

    (111) Connection refused


i have tried to read FAQ but not yet succeeded also i have tried to read
http://www.mail-archive.com/squid-users@squid-cache.org/msg58111.html
also i have not understood the concept.


Note:
the setup is three interface card (local, dmz and net)

pls help


-- 
with rgds

Marco Salimu
IT Manager
[ P.o. Box 1546]
Mob: +255 784 370294
Mob: +255 715 370294
Tel: +255 27 8218
Fax: +255 27 8273
Email:
*******************************
marco@seda.or.tz
smarcos2001@yahoo.com
smarcos2001@hotmail.com
marco_salim@wvi.org
Marco.magnus@gmail.com
********************************


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

What about using a split dns config with views? Why hitting the ext  
interface from the inside?



Le 3 nov. 2009 à 08:34, "Marco Salimu" <marco@seda.or.tz> a
écrit :
>
> problem :
> i cant browse to mydomain.or.tz from local network
> but i can browse mydomain.or.tz from external ( other place )
>
> The following error was encountered:
>
>    * Connection to 41.220.130.82(external interface) Failed
>
> The system returned:
>
>    (111) Connection refused
>
>
> i have tried to read FAQ but not yet succeeded also i have tried to  
> read
> http://www.mail-archive.com/squid-users@squid-cache.org/msg58111.html
> also i have not understood the concept.
>
>
> Note:
> the setup is three interface card (local, dmz and net)
>
> pls help
>
>
> -- 
> with rgds
>
> Marco Salimu
> IT Manager
> [ P.o. Box 1546]
> Mob: +255 784 370294
> Mob: +255 715 370294
> Tel: +255 27 8218
> Fax: +255 27 8273
> Email:
> *******************************
> marco@seda.or.tz
> smarcos2001@yahoo.com
> smarcos2001@hotmail.com
> marco_salim@wvi.org
> Marco.magnus@gmail.com
> ********************************
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart  
> your
> developing skills, take BlackBerry mobile applications to market and  
> stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Thanks Laurent Caron
Please help me with split DNS

NOTE:
I have internal DNS, but how to do with split DNS

thanks

> What about using a split dns config with views? Why hitting the ext
> interface from the inside?
>
>
>
> Le 3 nov. 2009 à 08:34, "Marco Salimu" <marco@seda.or.tz>
a écrit :
>
>>
>> problem :
>> i cant browse to mydomain.or.tz from local network
>> but i can browse mydomain.or.tz from external ( other place )
>>
>> The following error was encountered:
>>
>>    * Connection to 41.220.130.82(external interface) Failed
>>
>> The system returned:
>>
>>    (111) Connection refused
>>
>>
>> i have tried to read FAQ but not yet succeeded also i have tried to
>> read
>> http://www.mail-archive.com/squid-users@squid-cache.org/msg58111.html
>> also i have not understood the concept.
>>
>>
>> Note:
>> the setup is three interface card (local, dmz and net)
>>
>> pls help
>>
>>
>> --
>> with rgds
>>
>> Marco Salimu
>> IT Manager
>> [ P.o. Box 1546]
>> Mob: +255 784 370294
>> Mob: +255 715 370294
>> Tel: +255 27 8218
>> Fax: +255 27 8273
>> Email:
>> *******************************
>> marco@seda.or.tz
>> smarcos2001@yahoo.com
>> smarcos2001@hotmail.com
>> marco_salim@wvi.org
>> Marco.magnus@gmail.com
>> ********************************
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>> ---
>> ---
>> ---
>> ---------------------------------------------------------------------
>> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart
>> your
>> developing skills, take BlackBerry mobile applications to market and
>> stay
>> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
>> http://p.sf.net/sfu/devconference
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
>

-- 
with rgds

Marco Salimu
IT Manager
[ P.o. Box 1546]
Mob: +255 784 370294
Mob: +255 715 370294
Tel: +255 27 8218
Fax: +255 27 8273
Email:
*******************************
marco@seda.or.tz
smarcos2001@yahoo.com
smarcos2001@hotmail.com
marco_salim@wvi.org
Marco.magnus@gmail.com
********************************


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

On 03/11/2009 09:16, Marco Salimu wrote:
>
> Thanks Laurent Caron
> Please help me with split DNS
>
> NOTE:
> I have internal DNS, but how to do with split DNS

http://lmgtfy.com/?q=split+dns+howto+bind

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Marco Salimu wrote:
>  problem :
>  i cant browse to mydomain.or.tz from local network
>  but i can browse mydomain.or.tz from external ( other place )
> 
>  The following error was encountered:
> 
>     * Connection to 41.220.130.82(external interface) Failed
> 
>  The system returned:
> 
>     (111) Connection refused
> 
> 
> i have tried to read FAQ but not yet succeeded also i have tried to read
> http://www.mail-archive.com/squid-users@squid-cache.org/msg58111.html
> also i have not understood the concept.
> 
> 
> Note:
> the setup is three interface card (local, dmz and net)
> 
> pls help
Please submit the documentation requested at
http://www.shorewall.net/support.htm#Guidelines.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Hi Tom
Before i send the document, i know the shorewall dump will not show that
because that is the issue of proxy server.

Is there any way to bypass proxy server once per all users in Local net
apart from adding bypass in browsers.
if i remove proxy setting in browsers i can access mydomain.or.tz.

pls any idea

> Marco Salimu wrote:
>>  problem :
>>  i cant browse to mydomain.or.tz from local network
>>  but i can browse mydomain.or.tz from external ( other place )
>>
>>  The following error was encountered:
>>
>>     * Connection to 41.220.130.82(external interface) Failed
>>
>>  The system returned:
>>
>>     (111) Connection refused
>>
>>
>> i have tried to read FAQ but not yet succeeded also i have tried to
read
>> http://www.mail-archive.com/squid-users@squid-cache.org/msg58111.html
>> also i have not understood the concept.
>>
>>
>> Note:
>> the setup is three interface card (local, dmz and net)
>>
>> pls help
>
> Please submit the documentation requested at
> http://www.shorewall.net/support.htm#Guidelines.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>

-- 
with rgds

Marco Salimu
IT Manager
[ P.o. Box 1546]
Mob: +255 784 370294 | +255 715 370294
Tel: +255 27 8218 | Fax: +255 27 8273
Email:
*******************************
marco@seda.or.tz | smarcos2001@yahoo.com
smarcos2001@hotmail.com | marco_salim@wvi.org
Marco.magnus@gmail.com
********************************


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Hi Laurent Caron

Before i explorer split DNS, the problem is from proxy server, which is
blocking local user to browse DMZ webserver.

Is there any way to bypass proxy server once per all users in Local net
apart from adding bypass in browsers.
if i remove proxy setting in browsers i can access mydomain.or.tz.

pls any idea


> On 03/11/2009 09:16, Marco Salimu wrote:
>>
>> Thanks Laurent Caron
>> Please help me with split DNS
>>
>> NOTE:
>> I have internal DNS, but how to do with split DNS
>
>
> http://lmgtfy.com/?q=split+dns+howto+bind
>
>
>

-- 
with rgds

Marco Salimu
IT Manager
[ P.o. Box 1546]
Mob: +255 784 370294 | +255 715 370294
Tel: +255 27 8218 | Fax: +255 27 8273
Email:
*******************************
marco@seda.or.tz | smarcos2001@yahoo.com
smarcos2001@hotmail.com | marco_salim@wvi.org
Marco.magnus@gmail.com
********************************


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Hi Tom
Additional Info

Proxy server gives this msg on its access log:

1257344412.111    118 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344412.601    113 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344413.116    116 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344413.597    115 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344413.639      0 10.4.13.21 TCP_DENIED/400 1593 NONE
error:unsupported-request-method - NONE/- text/html
1257344414.236    112 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344414.722    106 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html

Thanks
> Marco Salimu wrote:
>>  problem :
>>  i cant browse to mydomain.or.tz from local network
>>  but i can browse mydomain.or.tz from external ( other place )
>>
>>  The following error was encountered:
>>
>>     * Connection to 41.220.130.82(external interface) Failed
>>
>>  The system returned:
>>
>>     (111) Connection refused
>>
>>
>> i have tried to read FAQ but not yet succeeded also i have tried to
read
>> http://www.mail-archive.com/squid-users@squid-cache.org/msg58111.html
>> also i have not understood the concept.
>>
>>
>> Note:
>> the setup is three interface card (local, dmz and net)
>>
>> pls help
>
> Please submit the documentation requested at
> http://www.shorewall.net/support.htm#Guidelines.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>

-- 
with rgds

Marco Salimu
IT Manager
[ P.o. Box 1546]
Mob: +255 784 370294 | +255 715 370294
Tel: +255 27 8218 | Fax: +255 27 8273
Email:
*******************************
marco@seda.or.tz | smarcos2001@yahoo.com
smarcos2001@hotmail.com | marco_salim@wvi.org
Marco.magnus@gmail.com
********************************


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Hi Laurent
Additional Info

Proxy server gives this msg on its access log:

1257344412.111    118 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344412.601    113 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344413.116    116 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344413.597    115 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344413.639      0 10.4.13.21 TCP_DENIED/400 1593 NONE
error:unsupported-request-method - NONE/- text/html
1257344414.236    112 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html
1257344414.722    106 10.4.13.14 TCP_MISS/503 1447 GET
http://www.seda.or.tz/ - DIRECT/41.220.130.82 text/html


> On 03/11/2009 09:16, Marco Salimu wrote:
>>
>> Thanks Laurent Caron
>> Please help me with split DNS
>>
>> NOTE:
>> I have internal DNS, but how to do with split DNS
>
>
> http://lmgtfy.com/?q=split+dns+howto+bind
>
>
>

-- 
with rgds

Marco Salimu
IT Manager
[ P.o. Box 1546]
Mob: +255 784 370294 | +255 715 370294
Tel: +255 27 8218 | Fax: +255 27 8273
Email:
*******************************
marco@seda.or.tz | smarcos2001@yahoo.com
smarcos2001@hotmail.com | marco_salim@wvi.org
Marco.magnus@gmail.com
********************************


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On 04/11/2009 15:11, Marco Salimu wrote:
>
> Hi Laurent Caron
>
> Before i explorer split DNS, the problem is from proxy server, which is
> blocking local user to browse DMZ webserver.
>
> Is there any way to bypass proxy server once per all users in Local net
> apart from adding bypass in browsers.
> if i remove proxy setting in browsers i can access mydomain.or.tz.
>
Hi,

Here is how I deal with it.

Have all your browsers set to auto detect.

Have a server provide your browsers with a proxy.pac file, and set an 
exception in this proxy.pac file.

Laurent

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Marco Salimu wrote:
> Hi Tom
> Before i send the document, i know the shorewall dump will not show that
> because that is the issue of proxy server.
> 
> Is there any way to bypass proxy server once per all users in Local net
> apart from adding bypass in browsers.
> if i remove proxy setting in browsers i can access mydomain.or.tz.
> 
Marco,

I cannot give you any advice without knowing what your configuration
looks like. If you want my help, send the information that I ask for. If
you don''t want to send it then you must solve the problem yourself.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Marco Salimu wrote:
> Hi Tom
> Before i send the document, i know the shorewall dump will not show that
> because that is the issue of proxy server.
> 
> Is there any way to bypass proxy server once per all users in Local net
> apart from adding bypass in browsers.
> if i remove proxy setting in browsers i can access mydomain.or.tz.
<Marco sent me shorewall dump output>

Marco,

Why do you have proxy settings in the browsers when you have configured
transparent proxy? Your Shorewall configuration is correct for bypassing
the proxy when local hosts try to connect to the web server in your DMZ
with transparent proxy.

At any rate, if you replace this rule:

   ACCEPT  $FW	dmz		tcp	80

with this rule:

   DNAT	   $FW	dmz:10.4.15.254	tcp	80   -	<IP addr of eth0>

it should work.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july