Hello
We are using old version ( shorewall-3.0.7-1) with Centos 5.3
The shorewall has three zones (net / loc / dmz).
Loc can access to internet with no problem and can access to DMZ.
DMZ can''t access to internet.
Net can''t access to DMZ with NAT.
I tried to restart the machine / check Lan card / check cable , they were work
find.
Is it DMZ Lan card problem? but it can start at Centos ...
Thanks !!
Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-02 09:50 UTC
Re: Suddenly DMZ can''t access to internet
Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
That''s odd, internal can access one of public IP ....
--- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕
寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午5:50
Either you maybe do only
have a static route between dmz clients and loc but no default route or maybe
something is wrong with your rules or policies.
Does your policy file
logs all all drop and net all drop? If yes, what do you see in your messages?
Cheers
Mike
Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk]
Gesendet: Dienstag, 2. Februar
2010 10:45
An:
shorewall-users@lists.sourceforge.net
Betreff: [Shorewall-users]
Suddenly DMZ can''t access to internet
Hello
We are using old version ( shorewall-3.0.7-1) with Centos 5.3
The shorewall has three zones (net / loc / dmz).
Loc can access to internet with no problem and can access to DMZ.
DMZ can''t access to internet.
Net can''t access to DMZ with NAT.
I tried to restart the machine / check Lan card / check cable , they were
work find.
Is it DMZ Lan card problem? but it can start at Centos ...
Thanks !!
Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多
-----內含下列附件-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-02 11:25 UTC
Re: Suddenly DMZ can''t access to internet
If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Wilson Kwok wrote:> That''s odd, internal can access one of public IP ....If you can''t solve this, send me the output of ''shorewall dump'' as an attachment and I''ll take a look. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I never set routing between them, but it previous work find.
I mean they can access one server by one public address.
I think I have to check policy and rules.
--- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕
寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午7:25
If loc can access wan
this is because you have a default route (0.0.0.0/0) from loc clients to loc
interface and from firewall to wan-router (normally provided by your isp)
If loc can access dmz
this is either because dmz clients have a static route back to loc or a default
route to firewalls dmz interface (since loc has a default route there is no
need to describe the way to the dmz but a need to explain your dmz to return,
this can be done by static or default route)
If dmz has default route
to firewalls dmz interface than routing is fine. In this case I guess rules or
policy is wrong.
In internal can access
public ip (what do you mean? Public wan oder publc dmz?) this say nothing about
why dmz is not working.
Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk]
Gesendet: Dienstag, 2. Februar
2010 12:19
An: Shorewall Users
Betreff: Re: [Shorewall-users]
Suddenly DMZ can''t access to internet
That''s odd, internal can access one of public IP
....
--- 2010年2月2日
星期二,Michael Weickel - iQom Business Services
GmbH <mw@iqom.de> 寫道﹕
寄件人:
Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題:
Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人:
"''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期:
2010年2月2日,星期二,下午5:50
Either you maybe do only have a static route
between dmz clients and loc but no default route or maybe something is wrong
with your rules or policies.
Does your policy file logs all all drop and net
all drop? If yes, what do you see in your messages?
Cheers
Mike
Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk]
Gesendet: Dienstag, 2. Februar
2010 10:45
An:
shorewall-users@lists.sourceforge.net
Betreff: [Shorewall-users]
Suddenly DMZ can''t access to internet
Hello
We are using old version ( shorewall-3.0.7-1) with Centos 5.3
The shorewall has three zones (net / loc / dmz).
Loc can access to internet with no problem and can access to DMZ.
DMZ can''t access to internet.
Net can''t access to DMZ with NAT.
I tried to restart the machine / check Lan card / check cable , they were
work find.
Is it DMZ Lan card problem? but it can start at Centos ...
Thanks !!
Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多
-----內含下列附件-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多
-----內含下列附件-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-02 15:57 UTC
Re: Suddenly DMZ can''t access to internet
To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
You mean DMZ should
all accept accept ?
--- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕
寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午11:57
To know that it worked
before is a quite important comment.
However, I think if you
want to NAT from untrusted to dmz you should investigate rules.
Policies should not have
anything to do with it since this would globally open dmz for untrusted without
a chance to influence proto and port.
Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk]
Gesendet: Dienstag, 2. Februar
2010 16:50
An: Shorewall Users
Betreff: Re: [Shorewall-users]
Suddenly DMZ can''t access to internet
I never set routing between them, but it previous
work find.
I mean they can access one server by one public address.
I think I have to check policy and rules.
--- 2010年2月2日
星期二,Michael Weickel - iQom Business Services
GmbH <mw@iqom.de> 寫道﹕
寄件人:
Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題:
Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人:
"''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期:
2010年2月2日,星期二,下午7:25
If loc can access wan this is because you have
a default route (0.0.0.0/0) from loc clients to loc interface and from
firewall to wan-router (normally provided by your isp)
If loc can access dmz this is either because
dmz clients have a static route back to loc or a default route to firewalls
dmz interface (since loc has a default route there is no need to describe the
way to the dmz but a need to explain your dmz to return, this can be done by
static or default route)
If dmz has default route to firewalls dmz
interface than routing is fine. In this case I guess rules or policy is
wrong.
In internal can access public ip (what do you
mean? Public wan oder publc dmz?) this say nothing about why dmz is not
working.
Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk]
Gesendet: Dienstag, 2. Februar
2010 12:19
An: Shorewall Users
Betreff: Re: [Shorewall-users]
Suddenly DMZ can''t access to internet
That''s
odd, internal can access one of public IP ....
--- 2010年2月2日
星期二,Michael Weickel - iQom Business
Services GmbH <mw@iqom.de>
寫道﹕
寄件人:
Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題:
Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人:
"''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期:
2010年2月2日,星期二,下午5:50
Either you maybe do only have a static
route between dmz clients and loc but no default route or maybe something
is wrong with your rules or policies.
Does your policy file logs all all
drop and net all drop? If yes, what do you see in your messages?
Cheers
Mike
Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk]
Gesendet: Dienstag, 2. Februar
2010 10:45
An:
shorewall-users@lists.sourceforge.net
Betreff: [Shorewall-users] Suddenly
DMZ can''t access to internet
Hello
We are using old version ( shorewall-3.0.7-1) with Centos 5.3
The shorewall has three zones (net / loc / dmz).
Loc can access to internet with no problem and can access to DMZ.
DMZ can''t access to internet.
Net can''t access to DMZ with NAT.
I tried to restart the machine / check Lan card / check cable , they were
work find.
Is it DMZ Lan card problem? but it can start at Centos ...
Thanks !!
Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多
-----內含下列附件-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多
-----內含下列附件-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多
-----內含下列附件-----
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-02 16:37 UTC
Re: Suddenly DMZ can''t access to internet
No. For example. If you want to grant access from net (whole internet) to dmz´s webserver with internal ip 192.168.0.1 then you should do net dmz:192.168.0.1 tcp 80 But if you had a running config before it is quite hard to believe that the config changed itself in a way that it does not work anymore. However, above mentioned config will grant access from world to dmz host 192.168.0.1 but only limited to tcp port 80 which is commonly known as www (http). If you want to grant access not from world but from known group you can say net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from world) instead of all from world. Statements with “all” such as ‘all accept accept’ are always bad. The only thing one should have with all is a deny/drop. However, all accept accept does not sound like a familiar syntax in each known Shorewall config file since it is always zone zone action (for example in policy) Try my above mentioned line. And again, messages output while you try to access to or from dmz would be great (if sth. Is logged) Give another mail for further questions. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 17:07 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet You mean DMZ should all accept accept ? --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午11:57 To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com