Michael Weickel - iQom Business Services GmbH
2010-Feb-02 16:38 UTC
WG: Suddenly DMZ can''t access to internet
net dmz:192.168.0.1 tcp 80 I forgot to mention that this should be put to rules file, sorry. _____ Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] Gesendet: Dienstag, 2. Februar 2010 17:37 An: ''Shorewall Users'' Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet No. For example. If you want to grant access from net (whole internet) to dmz´s webserver with internal ip 192.168.0.1 then you should do net dmz:192.168.0.1 tcp 80 But if you had a running config before it is quite hard to believe that the config changed itself in a way that it does not work anymore. However, above mentioned config will grant access from world to dmz host 192.168.0.1 but only limited to tcp port 80 which is commonly known as www (http). If you want to grant access not from world but from known group you can say net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from world) instead of all from world. Statements with “all” such as ‘all accept accept’ are always bad. The only thing one should have with all is a deny/drop. However, all accept accept does not sound like a familiar syntax in each known Shorewall config file since it is always zone zone action (for example in policy) Try my above mentioned line. And again, messages output while you try to access to or from dmz would be great (if sth. Is logged) Give another mail for further questions. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 17:07 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet You mean DMZ should all accept accept ? --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午11:57 To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
This setting already running .... --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:38 net dmz:192.168.0.1 tcp 80 I forgot to mention that this should be put to rules file, sorry. Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] Gesendet: Dienstag, 2. Februar 2010 17:37 An: ''Shorewall Users'' Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet No. For example. If you want to grant access from net (whole internet) to dmz´s webserver with internal ip 192.168.0.1 then you should do net dmz:192.168.0.1 tcp 80 But if you had a running config before it is quite hard to believe that the config changed itself in a way that it does not work anymore. However, above mentioned config will grant access from world to dmz host 192.168.0.1 but only limited to tcp port 80 which is commonly known as www (http). If you want to grant access not from world but from known group you can say net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from world) instead of all from world. Statements with “all” such as ‘all accept accept’ are always bad. The only thing one should have with all is a deny/drop. However, all accept accept does not sound like a familiar syntax in each known Shorewall config file since it is always zone zone action (for example in policy) Try my above mentioned line. And again, messages output while you try to access to or from dmz would be great (if sth. Is logged) Give another mail for further questions. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 17:07 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet You mean DMZ should all accept accept ? --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午11:57 To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I attached the shorewall policy and rules files in zip. Thank for help ! --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:38 net dmz:192.168.0.1 tcp 80 I forgot to mention that this should be put to rules file, sorry. Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] Gesendet: Dienstag, 2. Februar 2010 17:37 An: ''Shorewall Users'' Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet No. For example. If you want to grant access from net (whole internet) to dmz´s webserver with internal ip 192.168.0.1 then you should do net dmz:192.168.0.1 tcp 80 But if you had a running config before it is quite hard to believe that the config changed itself in a way that it does not work anymore. However, above mentioned config will grant access from world to dmz host 192.168.0.1 but only limited to tcp port 80 which is commonly known as www (http). If you want to grant access not from world but from known group you can say net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from world) instead of all from world. Statements with “all” such as ‘all accept accept’ are always bad. The only thing one should have with all is a deny/drop. However, all accept accept does not sound like a familiar syntax in each known Shorewall config file since it is always zone zone action (for example in policy) Try my above mentioned line. And again, messages output while you try to access to or from dmz would be great (if sth. Is logged) Give another mail for further questions. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 17:07 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet You mean DMZ should all accept accept ? --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午11:57 To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I just checked /var/log/message, the DMZ server 192.168.0.6 DNZ server can access to internet by 53 port: Feb 3 08:26:26 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=192.58.128.30 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17437 PROTO=UDP SPT=58240 DPT=53 LEN=41 Feb 3 08:26:26 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=192.36.148.17 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17438 PROTO=UDP SPT=58240 DPT=53 LEN=41 Feb 3 08:26:28 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=202.12.27.33 LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=17439 PROTO=UDP SPT=49831 DPT=53 LEN=37 Feb 3 08:26:29 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17440 PROTO=UDP SPT=50685 DPT=53 LEN=41 Feb 3 08:26:30 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17444 PROTO=UDP SPT=58546 DPT=53 LEN=41 Feb 3 08:26:29 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17440 PROTO=UDP SPT=50685 DPT=53 LEN=41 Feb 3 08:26:30 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17444 PROTO=UDP SPT=58546 DPT=53 LEN=41 Feb 3 08:26:32 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=198.32.64.12 LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=17445 PROTO=UDP SPT=49831 DPT=53 LEN=37 Feb 3 08:26:32 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=193.0.14.129 LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=17446 PROTO=UDP SPT=49831 DPT=53 LEN=37 Feb 3 08:26:32 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=202.12.27.33 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17447 PROTO=UDP SPT=50685 DPT=53 LEN=41 --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:38 net dmz:192.168.0.1 tcp 80 I forgot to mention that this should be put to rules file, sorry. Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] Gesendet: Dienstag, 2. Februar 2010 17:37 An: ''Shorewall Users'' Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet No. For example. If you want to grant access from net (whole internet) to dmz´s webserver with internal ip 192.168.0.1 then you should do net dmz:192.168.0.1 tcp 80 But if you had a running config before it is quite hard to believe that the config changed itself in a way that it does not work anymore. However, above mentioned config will grant access from world to dmz host 192.168.0.1 but only limited to tcp port 80 which is commonly known as www (http). If you want to grant access not from world but from known group you can say net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from world) instead of all from world. Statements with “all” such as ‘all accept accept’ are always bad. The only thing one should have with all is a deny/drop. However, all accept accept does not sound like a familiar syntax in each known Shorewall config file since it is always zone zone action (for example in policy) Try my above mentioned line. And again, messages output while you try to access to or from dmz would be great (if sth. Is logged) Give another mail for further questions. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 17:07 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet You mean DMZ should all accept accept ? --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午11:57 To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I just checked something: 1. Two DMZ IIS server has can''t ping to internet problem, they are win 2000 and win 2003. 2. If I change their IP, they can ping to internet and then shorewall restart that they can''t ping to internet again... --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:38 net dmz:192.168.0.1 tcp 80 I forgot to mention that this should be put to rules file, sorry. Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] Gesendet: Dienstag, 2. Februar 2010 17:37 An: ''Shorewall Users'' Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet No. For example. If you want to grant access from net (whole internet) to dmz´s webserver with internal ip 192.168.0.1 then you should do net dmz:192.168.0.1 tcp 80 But if you had a running config before it is quite hard to believe that the config changed itself in a way that it does not work anymore. However, above mentioned config will grant access from world to dmz host 192.168.0.1 but only limited to tcp port 80 which is commonly known as www (http). If you want to grant access not from world but from known group you can say net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from world) instead of all from world. Statements with “all” such as ‘all accept accept’ are always bad. The only thing one should have with all is a deny/drop. However, all accept accept does not sound like a familiar syntax in each known Shorewall config file since it is always zone zone action (for example in policy) Try my above mentioned line. And again, messages output while you try to access to or from dmz would be great (if sth. Is logged) Give another mail for further questions. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 17:07 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet You mean DMZ should all accept accept ? --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午11:57 To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I think local lan has two computer got virus attacking firewall: Feb 2 15:36:01 shorewall kernel: Shorewall:loc2fw:ACCEPT:IN=eth1 OUT= MAC=01:00:5e:00:00:fb:00:26:b0:b1:94:08:08:00 SRC=172.16.0.34 DST=224.0.0.251 LEN=94 TOS=0x00 PREC=0x00 TTL=255 ID=30024 PROTO=UDP SPT=5353 DPT=5353 LEN=74 Feb 2 15:36:01 shorewall avahi-daemon[6670]: Invalid query packet. Feb 2 10:54:51 shorewall kernel: Shorewall:loc2fw:ACCEPT:IN=eth1 OUT= MAC=01:00:5e:00:00:fb:64:b9:e8:3b:72:8e:08:00 SRC=172.16.0.175 DST=224.0.0.251 LEN=103 TOS=0x00 PREC=0x00 TTL=255 ID=4899 PROTO=UDP SPT=5353 DPT=5353 LEN=83 Feb 2 10:54:51 shorewall avahi-daemon[6670]: Invalid query packet. Feb 2 08:10:06 shorewall kernel: Shorewall:loc2fw:ACCEPT:IN=eth1 OUT= MAC=01:00:5e:00:00:fb:64:b9:e8:58:a7:57:08:00 SRC=172.16.0.44 DST=224.0.0.251 LEN=95 TOS=0x00 PREC=0x00 TTL=255 ID=39959 PROTO=UDP SPT=5353 DPT=5353 LEN=75 Feb 2 08:10:06 shorewall avahi-daemon[6670]: Invalid query packet. --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:38 net dmz:192.168.0.1 tcp 80 I forgot to mention that this should be put to rules file, sorry. Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] Gesendet: Dienstag, 2. Februar 2010 17:37 An: ''Shorewall Users'' Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet No. For example. If you want to grant access from net (whole internet) to dmz´s webserver with internal ip 192.168.0.1 then you should do net dmz:192.168.0.1 tcp 80 But if you had a running config before it is quite hard to believe that the config changed itself in a way that it does not work anymore. However, above mentioned config will grant access from world to dmz host 192.168.0.1 but only limited to tcp port 80 which is commonly known as www (http). If you want to grant access not from world but from known group you can say net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from world) instead of all from world. Statements with “all” such as ‘all accept accept’ are always bad. The only thing one should have with all is a deny/drop. However, all accept accept does not sound like a familiar syntax in each known Shorewall config file since it is always zone zone action (for example in policy) Try my above mentioned line. And again, messages output while you try to access to or from dmz would be great (if sth. Is logged) Give another mail for further questions. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 17:07 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet You mean DMZ should all accept accept ? --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午11:57 To know that it worked before is a quite important comment. However, I think if you want to NAT from untrusted to dmz you should investigate rules. Policies should not have anything to do with it since this would globally open dmz for untrusted without a chance to influence proto and port. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 16:50 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet I never set routing between them, but it previous work find. I mean they can access one server by one public address. I think I have to check policy and rules. --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午7:25 If loc can access wan this is because you have a default route (0.0.0.0/0) from loc clients to loc interface and from firewall to wan-router (normally provided by your isp) If loc can access dmz this is either because dmz clients have a static route back to loc or a default route to firewalls dmz interface (since loc has a default route there is no need to describe the way to the dmz but a need to explain your dmz to return, this can be done by static or default route) If dmz has default route to firewalls dmz interface than routing is fine. In this case I guess rules or policy is wrong. In internal can access public ip (what do you mean? Public wan oder publc dmz?) this say nothing about why dmz is not working. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 12:19 An: Shorewall Users Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet That''s odd, internal can access one of public IP .... --- 2010年2月2日 星期二,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月2日,星期二,下午5:50 Either you maybe do only have a static route between dmz clients and loc but no default route or maybe something is wrong with your rules or policies. Does your policy file logs all all drop and net all drop? If yes, what do you see in your messages? Cheers Mike Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Dienstag, 2. Februar 2010 10:45 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet Hello We are using old version ( shorewall-3.0.7-1) with Centos 5.3 The shorewall has three zones (net / loc / dmz). Loc can access to internet with no problem and can access to DMZ. DMZ can''t access to internet. Net can''t access to DMZ with NAT. I tried to restart the machine / check Lan card / check cable , they were work find. Is it DMZ Lan card problem? but it can start at Centos ... Thanks !! Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Laurent Caron (Phone)
2010-Feb-03 07:31 UTC
Re: WG: Suddenly DMZ can''t access to internet
Le 3 févr. 2010 à 07:54, Wilson Kwok <leiw324@yahoo.com.hk> a écrit :> I just changed NAT IP to another NAT IP: > > original: x.x.214.100 192.168.0.6 > > changed: x.x.214.101 192.168.0.6 > > Internet can access to web by x.x.214.101 > > What''s this problem? >Hi Did you try a tcpdump on external interface while trying to nat to x.y. 214.100? ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-03 07:37 UTC
Re: WG: Suddenly DMZ can''t access to internet
Does x.x.214.101 represent your new ''original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I dont'' have DNAT rules, only have the following rules for 192.168.0.14: HTTP/ACCEPT net dmz:192.168.0.14 remote/ACCEPT net dmz:192.168.0.14 Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
If I change the NAT x.x.214.101 to another local lan IP 172.16.1.249 client computer , this computer can''t access to internet ..... Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-03 10:45 UTC
Re: WG: Suddenly DMZ can''t access to internet
This really sounds like routing issues. Maybe subnet mask or sth. like that. I think its time to follow Tom´s offer to give a Shorewall dump as described in the troubleshooting phase on <http://www.shorewall.net/> www.shorewall.net _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 11:17 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet If I change the NAT x.x.214.101 to another local lan IP 172.16.1.249 client computer , this computer can''t access to internet ..... Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car <http://shorewall.net/> http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list <http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net> Shorewall-users@lists.sourceforge.net <https://lists.sourceforge.net/lists/listinfo/shorewall-users> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I forget send to which email address for shorewall tcpdump. --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午6:45 This really sounds like routing issues. Maybe subnet mask or sth. like that. I think its time to follow Tom´s offer to give a Shorewall dump as described in the troubleshooting phase on www.shorewall.net Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 11:17 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet If I change the NAT x.x.214.101 to another local lan IP 172.16.1.249 client computer , this computer can''t access to internet ..... Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Do you think is ISP problem ? --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午6:45 This really sounds like routing issues. Maybe subnet mask or sth. like that. I think its time to follow Tom´s offer to give a Shorewall dump as described in the troubleshooting phase on www.shorewall.net Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 11:17 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet If I change the NAT x.x.214.101 to another local lan IP 172.16.1.249 client computer , this computer can''t access to internet ..... Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-03 11:07 UTC
Re: WG: Suddenly DMZ can''t access to internet
If x.x.214.101 is part of your provider aggregated space I do not believe that it’s a provider issue. You can easily check this by tracing from a foreign host to your ip and see if your provider routes it to your shorewall. Further I am a bit confuses that you have now two local subnets 192.168.0.x and 172.16.1.x. Are both subnets on the Shorewall´s phy dmz interface? _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 12:01 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet Do you think is ISP problem ? --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午6:45 This really sounds like routing issues. Maybe subnet mask or sth. like that. I think its time to follow Tom´s offer to give a Shorewall dump as described in the troubleshooting phase on <http://www.shorewall.net/> www.shorewall.net _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 11:17 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet If I change the NAT x.x.214.101 to another local lan IP 172.16.1.249 client computer , this computer can''t access to internet ..... Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net <http://shorewall.net/> \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Michael Weickel - iQom Business Services GmbH
2010-Feb-03 11:07 UTC
Re: WG: Suddenly DMZ can''t access to internet
Use the list one _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 12:01 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I forget send to which email address for shorewall tcpdump. --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午6:45 This really sounds like routing issues. Maybe subnet mask or sth. like that. I think its time to follow Tom´s offer to give a Shorewall dump as described in the troubleshooting phase on <http://www.shorewall.net/> www.shorewall.net _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 11:17 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet If I change the NAT x.x.214.101 to another local lan IP 172.16.1.249 client computer , this computer can''t access to internet ..... Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. _____ Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote:> net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry.And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net <http://shorewall.net/> \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users _____ Yahoo!香港提供網上安全攻略,教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多 ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I have three inerface loc / net / dmz , I will send the shorewall dump tmr. Thanks ! --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午7:07 If x.x.214.101 is part of your provider aggregated space I do not believe that it’s a provider issue. You can easily check this by tracing from a foreign host to your ip and see if your provider routes it to your shorewall. Further I am a bit confuses that you have now two local subnets 192.168.0.x and 172.16.1.x. Are both subnets on the Shorewall´s phy dmz interface? Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 12:01 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet Do you think is ISP problem ? --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午6:45 This really sounds like routing issues. Maybe subnet mask or sth. like that. I think its time to follow Tom´s offer to give a Shorewall dump as described in the troubleshooting phase on www.shorewall.net Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 11:17 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet If I change the NAT x.x.214.101 to another local lan IP 172.16.1.249 client computer , this computer can''t access to internet ..... Thanks --- 2010年2月3日 星期三,Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 寫道﹕ 寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "''Shorewall Users''" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,下午3:37 Does x.x.214.101 represent your new ‚original destination’ in rules file? If yes, this sounds like a hierarchy problem in your rules file where another rule may applied before the one you want. For example. DNAT net dmz:192.168.0.7 tcp 80 - x.x.214.101 DNAT net dmz:192.168.0.6 tcp 80 - x.x.214.101 This would mean, that a http request to your original destination will always apply the NAT to 192.168.0.7 because its more near to the top of the file. Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than one tcp 80 rule this could be your problem. If you do the same with 214.101 and see only one tcp 80 rule you have your answer. Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] Gesendet: Mittwoch, 3. Februar 2010 07:54 An: Shorewall Users Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet I just changed NAT IP to another NAT IP: original: x.x.214.100 192.168.0.6 changed: x.x.214.101 192.168.0.6 Internet can access to web by x.x.214.101 What''s this problem? Thanks ! --- 2010年2月3日 星期三,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet 收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2010年2月3日,星期三,上午12:57 Michael Weickel - iQom Business Services GmbH wrote: > net dmz:192.168.0.1 tcp 80 > > > > I forgot to mention that this should be put to rules file, sorry. And you probably wanted DNAT net dmz:192.168.0.1 tcp 80 But randomly changing the rules without understanding what the real problem is seems unwise. Wilson doesn''t even know if the problem has anything to do with Shorewall. I repeat my offer to look at the output of ''shorewall dump'' but I must do it in the next 30 minutes because the rest of my day is full with meetings. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客!了解更多 -----內含下列附件----- ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com -----內含下列附件----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users Yahoo!香港提供網上安全攻略,教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多! ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com