Shorewall users - Feb 2010 - WG: Suddenly DMZ can't access to internet

net       dmz:192.168.0.1                       tcp       80

 

I forgot to mention that this should be put to rules file, sorry. 

 

  _____  

Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] 
Gesendet: Dienstag, 2. Februar 2010 17:37
An: ''Shorewall Users''
Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet

 

No.

 

For example. If you want to grant access from net (whole internet) to dmz´s
webserver with internal ip 192.168.0.1 then you should do

 

net       dmz:192.168.0.1                       tcp       80

 

But if you had a running config before it is quite hard to believe that the
config changed itself in a way that it does not work anymore.

However, above mentioned config will grant access from world to dmz host
192.168.0.1 but only limited to tcp port 80 which is commonly known as www
(http).

 

If you want to grant access not from world but from known group you can say
net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from
world) instead of all from world.

 

Statements with “all” such as ‘all accept accept’ are always bad. The only thing
one should have with all is a deny/drop. However, all accept accept does not
sound like a familiar syntax in each known Shorewall config file since it is
always zone zone action (for example in policy)

 

Try my above mentioned line. And again, messages output while you try to access
to or from dmz would be great (if sth. Is logged)

 

Give another mail for further questions. 

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 17:07
An: Shorewall Users
Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet

 


You mean DMZ should 

all accept accept ?

--- 2010年2月2日 星期二，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午11:57

To know that it worked before is a quite important comment. 

However, I think if you want to NAT from untrusted to dmz you should investigate
rules.

Policies should not have anything to do with it since this would globally open
dmz for untrusted without a chance to influence proto and port.

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 16:50
An: Shorewall Users
Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet

 


I never set routing between them, but it previous work find.

I mean they can access one server by one public address.

I think I have to check policy and rules.

--- 2010年2月2日 星期二，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午7:25

If loc can access wan this is because you have a default route (0.0.0.0/0) from
loc clients to loc interface and from firewall to wan-router (normally provided
by your isp)

If loc can access dmz this is either because dmz clients have a static route
back to loc or a default route to firewalls dmz interface (since loc has a
default route there is no need to describe the way to the dmz but a need to
explain your dmz to return, this can be done by static or default route)

 

If dmz has default route to firewalls dmz interface than routing is fine. In
this case I guess rules or policy is wrong.

 

In internal can access public ip (what do you mean? Public wan oder publc dmz?)
this say nothing about why dmz is not working.

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 12:19
An: Shorewall Users
Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet

 


That''s odd, internal can access one of public IP ....



--- 2010年2月2日 星期二，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午5:50

Either you maybe do only have a static route between dmz clients and loc but no
default route or maybe something is wrong with your rules or policies.

Does your policy file logs all all drop and net all drop? If yes, what do you
see in your messages?

 

 

Cheers

Mike

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 10:45
An: shorewall-users@lists.sourceforge.net
Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet

 


Hello

We are using old version ( shorewall-3.0.7-1) with Centos 5.3

The shorewall has three zones (net / loc / dmz). 

Loc can access to internet with no problem and can access to DMZ.

DMZ can''t access to internet.

Net can''t access to DMZ with NAT.

I tried to restart the machine / check Lan card / check cable , they were work
find.

Is it DMZ Lan card problem? but it can start at Centos ...

Thanks !!

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
 <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
 <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
 <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT	net	dmz:192.168.0.1	tcp	80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

This setting already running ....

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: [Shorewall-users] WG:  Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:38




 
 







net      
dmz:192.168.0.1                      
tcp       80 

   

I forgot to mention that
this should be put to rules file, sorry.  

   









Von: Michael Weickel
- iQom Business Services GmbH [mailto:mw@iqom.de] 

Gesendet: Dienstag, 2. Februar
2010 17:37

An: ''Shorewall Users''

Betreff: AW: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   

No. 

   

For example. If you want
to grant access from net (whole internet) to dmz´s webserver with internal ip
192.168.0.1 then you should do 

   

net      
dmz:192.168.0.1                      
tcp       80 

   

But if you had a running
config before it is quite hard to believe that the config changed itself in a
way that it does not work anymore. 

However, above mentioned
config will grant access from world to dmz host 192.168.0.1 but only limited to
tcp port 80 which is commonly known as www (http).  

   

If you want to grant
access not from world but from known group you can say net:1.2.3.4 which makes
it possible to grant access only to 1.2.3.4 (coming from world) instead of all
from world.  

   

Statements with “all”
such as ‘all accept accept’ are always bad. The only thing one should have with
all is a deny/drop. However, all accept accept does not sound like a familiar
syntax in each known Shorewall config file since it is always zone zone action
(for example in policy) 

   

Try my above mentioned
line. And again, messages output while you try to access to or from dmz would
be great (if sth. Is logged) 

   

Give another mail for
further questions.  

   









Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk] 

Gesendet: Dienstag, 2. Februar
2010 17:07

An: Shorewall Users

Betreff: Re: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   


 
  
  You mean DMZ should 

  

  all accept accept ?

  

  --- 2010年2月2日
  星期二，Michael Weickel - iQom Business Services
  GmbH <mw@iqom.de> 寫道﹕ 
  

  寄件人:
  Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

  主題:
  Re: [Shorewall-users] Suddenly DMZ can''t access to internet

  收件人:
  "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

  日期:
  2010年2月2日,星期二,下午11:57 
  
  
  To know that it worked before is a quite
  important comment.  
  However, I think if you want to NAT from
  untrusted to dmz you should investigate rules.  
  Policies should not have anything to do with it
  since this would globally open dmz for untrusted without a chance to
  influence proto and port.  
    
  
  
  
  
  Von: Wilson Kwok
  [mailto:leiw324@yahoo.com.hk] 

  Gesendet: Dienstag, 2. Februar
  2010 16:50

  An: Shorewall Users

  Betreff: Re: [Shorewall-users]
  Suddenly DMZ can''t access to internet 
  
    
  
   
    
    I
    never set routing between them, but it previous work find.

    

    I mean they can access one server by one public address.

    

    I think I have to check policy and rules.

    

    --- 2010年2月2日
    星期二，Michael Weickel - iQom Business
    Services GmbH <mw@iqom.de>
    寫道﹕ 
    

    寄件人:
    Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

    主題:
    Re: [Shorewall-users] Suddenly DMZ can''t access to internet

    收件人:
    "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

    日期:
    2010年2月2日,星期二,下午7:25 
    
    
    If loc can access wan this is because
    you have a default route (0.0.0.0/0) from loc clients to loc interface and
    from firewall to wan-router (normally provided by your isp) 
    If loc can access dmz this is either
    because dmz clients have a static route back to loc or a default route to
    firewalls dmz interface (since loc has a default route there is no need to
    describe the way to the dmz but a need to explain your dmz to return, this
    can be done by static or default route) 
      
    If dmz has default route to firewalls
    dmz interface than routing is fine. In this case I guess rules or policy is
    wrong.  
      
    In internal can access public ip (what
    do you mean? Public wan oder publc dmz?) this say nothing about why dmz is
    not working.  
      
    
    
    
    
    Von: Wilson Kwok
    [mailto:leiw324@yahoo.com.hk] 

    Gesendet: Dienstag, 2. Februar
    2010 12:19

    An: Shorewall Users

    Betreff: Re: [Shorewall-users]
    Suddenly DMZ can''t access to internet 
    
      
    
     
      
      That''s
      odd, internal can access one of public IP ....

      

      

      

      --- 2010年2月2日
      星期二，Michael Weickel - iQom Business
      Services GmbH <mw@iqom.de>
      寫道﹕ 
      

      寄件人:
      Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

      主題:
      Re: [Shorewall-users] Suddenly DMZ can''t access to internet

      收件人:
      "''Shorewall Users''"
      <shorewall-users@lists.sourceforge.net>

      日期:
      2010年2月2日,星期二,下午5:50 
      
      
      Either you maybe do
      only have a static route between dmz clients and loc but no default route
      or maybe something is wrong with your rules or policies.  
      Does your policy
      file logs all all drop and net all drop? If yes, what do you see in your
      messages? 
        
        
      Cheers 
      Mike 
        
      
      
      
      
      Von: Wilson Kwok
      [mailto:leiw324@yahoo.com.hk] 

      Gesendet: Dienstag, 2.
      Februar 2010 10:45

      An:
      shorewall-users@lists.sourceforge.net

      Betreff: [Shorewall-users]
      Suddenly DMZ can''t access to internet 
      
        
      
       
        
        Hello

        

        We are using old version ( shorewall-3.0.7-1) with Centos 5.3

        

        The shorewall has three zones (net / loc / dmz). 

        

        Loc can access to internet with no problem and can access to DMZ.

        

        DMZ can''t access to internet.

        

        Net can''t access to DMZ with NAT.

        

        I tried to restart the machine / check Lan card / check cable , they
        were work find.

        

        Is it DMZ Lan card problem? but it can start at Centos ...

        

        Thanks !! 
        
       
      
        
      
      
      
      Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
      
      
      

      -----內含下列附件----- 
      
     
------------------------------------------------------------------------------

      The Planet: dedicated and managed hosting, cloud storage, colocation

      Stay online with enterprise data centers and the best network in the
      business

      Choose flexible plans and management services without long-term contracts

      Personal 24x7 support from experience hosting pros just a phone call
      away.

      http://p.sf.net/sfu/theplanet-com 
      
      

      -----內含下列附件----- 
      
      _______________________________________________

      Shorewall-users mailing list

      Shorewall-users@lists.sourceforge.net

      https://lists.sourceforge.net/lists/listinfo/shorewall-users 
      
      
     
    
      
    
    
    
    Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
    
    
    

    -----內含下列附件----- 
    
   
------------------------------------------------------------------------------

    The Planet: dedicated and managed hosting, cloud storage, colocation

    Stay online with enterprise data centers and the best network in the
    business

    Choose flexible plans and management services without long-term contracts

    Personal 24x7 support from experience hosting pros just a phone call away.

    http://p.sf.net/sfu/theplanet-com 
    
    

    -----內含下列附件----- 
    
    _______________________________________________

    Shorewall-users mailing list

    Shorewall-users@lists.sourceforge.net

    https://lists.sourceforge.net/lists/listinfo/shorewall-users 
    
    
   
  
    
  
  
  
  Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
  
  
  

  -----內含下列附件----- 
  
  ------------------------------------------------------------------------------

  The Planet: dedicated and managed hosting, cloud storage, colocation

  Stay online with enterprise data centers and the best network in the business

  Choose flexible plans and management services without long-term contracts

  Personal 24x7 support from experience hosting pros just a phone call away.

  http://p.sf.net/sfu/theplanet-com 
  
  

  -----內含下列附件----- 
  
  _______________________________________________

  Shorewall-users mailing list

  Shorewall-users@lists.sourceforge.net

  https://lists.sourceforge.net/lists/listinfo/shorewall-users 
  
  
 


   







Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 



 

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I attached the shorewall policy and rules files in zip.

Thank for help !

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: [Shorewall-users] WG:  Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:38




 
 







net      
dmz:192.168.0.1                      
tcp       80 

   

I forgot to mention that
this should be put to rules file, sorry.  

   









Von: Michael Weickel
- iQom Business Services GmbH [mailto:mw@iqom.de] 

Gesendet: Dienstag, 2. Februar
2010 17:37

An: ''Shorewall Users''

Betreff: AW: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   

No. 

   

For example. If you want
to grant access from net (whole internet) to dmz´s webserver with internal ip
192.168.0.1 then you should do 

   

net      
dmz:192.168.0.1                      
tcp       80 

   

But if you had a running
config before it is quite hard to believe that the config changed itself in a
way that it does not work anymore. 

However, above mentioned
config will grant access from world to dmz host 192.168.0.1 but only limited to
tcp port 80 which is commonly known as www (http).  

   

If you want to grant
access not from world but from known group you can say net:1.2.3.4 which makes
it possible to grant access only to 1.2.3.4 (coming from world) instead of all
from world.  

   

Statements with “all”
such as ‘all accept accept’ are always bad. The only thing one should have with
all is a deny/drop. However, all accept accept does not sound like a familiar
syntax in each known Shorewall config file since it is always zone zone action
(for example in policy) 

   

Try my above mentioned
line. And again, messages output while you try to access to or from dmz would
be great (if sth. Is logged) 

   

Give another mail for
further questions.  

   









Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk] 

Gesendet: Dienstag, 2. Februar
2010 17:07

An: Shorewall Users

Betreff: Re: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   


 
  
  You mean DMZ should 

  

  all accept accept ?

  

  --- 2010年2月2日
  星期二，Michael Weickel - iQom Business Services
  GmbH <mw@iqom.de> 寫道﹕ 
  

  寄件人:
  Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

  主題:
  Re: [Shorewall-users] Suddenly DMZ can''t access to internet

  收件人:
  "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

  日期:
  2010年2月2日,星期二,下午11:57 
  
  
  To know that it worked before is a quite
  important comment.  
  However, I think if you want to NAT from
  untrusted to dmz you should investigate rules.  
  Policies should not have anything to do with it
  since this would globally open dmz for untrusted without a chance to
  influence proto and port.  
    
  
  
  
  
  Von: Wilson Kwok
  [mailto:leiw324@yahoo.com.hk] 

  Gesendet: Dienstag, 2. Februar
  2010 16:50

  An: Shorewall Users

  Betreff: Re: [Shorewall-users]
  Suddenly DMZ can''t access to internet 
  
    
  
   
    
    I
    never set routing between them, but it previous work find.

    

    I mean they can access one server by one public address.

    

    I think I have to check policy and rules.

    

    --- 2010年2月2日
    星期二，Michael Weickel - iQom Business
    Services GmbH <mw@iqom.de>
    寫道﹕ 
    

    寄件人:
    Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

    主題:
    Re: [Shorewall-users] Suddenly DMZ can''t access to internet

    收件人:
    "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

    日期:
    2010年2月2日,星期二,下午7:25 
    
    
    If loc can access wan this is because
    you have a default route (0.0.0.0/0) from loc clients to loc interface and
    from firewall to wan-router (normally provided by your isp) 
    If loc can access dmz this is either
    because dmz clients have a static route back to loc or a default route to
    firewalls dmz interface (since loc has a default route there is no need to
    describe the way to the dmz but a need to explain your dmz to return, this
    can be done by static or default route) 
      
    If dmz has default route to firewalls
    dmz interface than routing is fine. In this case I guess rules or policy is
    wrong.  
      
    In internal can access public ip (what
    do you mean? Public wan oder publc dmz?) this say nothing about why dmz is
    not working.  
      
    
    
    
    
    Von: Wilson Kwok
    [mailto:leiw324@yahoo.com.hk] 

    Gesendet: Dienstag, 2. Februar
    2010 12:19

    An: Shorewall Users

    Betreff: Re: [Shorewall-users]
    Suddenly DMZ can''t access to internet 
    
      
    
     
      
      That''s
      odd, internal can access one of public IP ....

      

      

      

      --- 2010年2月2日
      星期二，Michael Weickel - iQom Business
      Services GmbH <mw@iqom.de>
      寫道﹕ 
      

      寄件人:
      Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

      主題:
      Re: [Shorewall-users] Suddenly DMZ can''t access to internet

      收件人:
      "''Shorewall Users''"
      <shorewall-users@lists.sourceforge.net>

      日期:
      2010年2月2日,星期二,下午5:50 
      
      
      Either you maybe do
      only have a static route between dmz clients and loc but no default route
      or maybe something is wrong with your rules or policies.  
      Does your policy
      file logs all all drop and net all drop? If yes, what do you see in your
      messages? 
        
        
      Cheers 
      Mike 
        
      
      
      
      
      Von: Wilson Kwok
      [mailto:leiw324@yahoo.com.hk] 

      Gesendet: Dienstag, 2.
      Februar 2010 10:45

      An:
      shorewall-users@lists.sourceforge.net

      Betreff: [Shorewall-users]
      Suddenly DMZ can''t access to internet 
      
        
      
       
        
        Hello

        

        We are using old version ( shorewall-3.0.7-1) with Centos 5.3

        

        The shorewall has three zones (net / loc / dmz). 

        

        Loc can access to internet with no problem and can access to DMZ.

        

        DMZ can''t access to internet.

        

        Net can''t access to DMZ with NAT.

        

        I tried to restart the machine / check Lan card / check cable , they
        were work find.

        

        Is it DMZ Lan card problem? but it can start at Centos ...

        

        Thanks !! 
        
       
      
        
      
      
      
      Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
      
      
      

      -----內含下列附件----- 
      
     
------------------------------------------------------------------------------

      The Planet: dedicated and managed hosting, cloud storage, colocation

      Stay online with enterprise data centers and the best network in the
      business

      Choose flexible plans and management services without long-term contracts

      Personal 24x7 support from experience hosting pros just a phone call
      away.

      http://p.sf.net/sfu/theplanet-com 
      
      

      -----內含下列附件----- 
      
      _______________________________________________

      Shorewall-users mailing list

      Shorewall-users@lists.sourceforge.net

      https://lists.sourceforge.net/lists/listinfo/shorewall-users 
      
      
     
    
      
    
    
    
    Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
    
    
    

    -----內含下列附件----- 
    
   
------------------------------------------------------------------------------

    The Planet: dedicated and managed hosting, cloud storage, colocation

    Stay online with enterprise data centers and the best network in the
    business

    Choose flexible plans and management services without long-term contracts

    Personal 24x7 support from experience hosting pros just a phone call away.

    http://p.sf.net/sfu/theplanet-com 
    
    

    -----內含下列附件----- 
    
    _______________________________________________

    Shorewall-users mailing list

    Shorewall-users@lists.sourceforge.net

    https://lists.sourceforge.net/lists/listinfo/shorewall-users 
    
    
   
  
    
  
  
  
  Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
  
  
  

  -----內含下列附件----- 
  
  ------------------------------------------------------------------------------

  The Planet: dedicated and managed hosting, cloud storage, colocation

  Stay online with enterprise data centers and the best network in the business

  Choose flexible plans and management services without long-term contracts

  Personal 24x7 support from experience hosting pros just a phone call away.

  http://p.sf.net/sfu/theplanet-com 
  
  

  -----內含下列附件----- 
  
  _______________________________________________

  Shorewall-users mailing list

  Shorewall-users@lists.sourceforge.net

  https://lists.sourceforge.net/lists/listinfo/shorewall-users 
  
  
 


   







Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 



 

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I just checked /var/log/message, the DMZ server 192.168.0.6 DNZ server can
access to internet by 53 port:

Feb  3 08:26:26 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=192.58.128.30 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17437
PROTO=UDP SPT=58240 DPT=53 LEN=41
Feb  3 08:26:26 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=192.36.148.17 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17438
PROTO=UDP SPT=58240 DPT=53 LEN=41
Feb  3 08:26:28 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=202.12.27.33 LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=17439
PROTO=UDP SPT=49831 DPT=53 LEN=37
Feb  3 08:26:29 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17440
PROTO=UDP SPT=50685 DPT=53 LEN=41
Feb  3 08:26:30 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17444
PROTO=UDP SPT=58546 DPT=53 LEN=41
Feb  3 08:26:29 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17440
PROTO=UDP SPT=50685 DPT=53 LEN=41
Feb  3 08:26:30 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=198.41.0.4 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17444
PROTO=UDP SPT=58546 DPT=53 LEN=41
Feb  3 08:26:32 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=198.32.64.12 LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=17445
PROTO=UDP SPT=49831 DPT=53 LEN=37
Feb  3 08:26:32 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=193.0.14.129 LEN=57 TOS=0x00 PREC=0x00 TTL=127 ID=17446
PROTO=UDP SPT=49831 DPT=53 LEN=37
Feb  3 08:26:32 shorewall kernel: Shorewall:dmz2net:ACCEPT:IN=eth0 OUT=eth2
SRC=192.168.0.6 DST=202.12.27.33 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=17447
PROTO=UDP SPT=50685 DPT=53 LEN=41





--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: [Shorewall-users] WG:  Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:38




 
 







net      
dmz:192.168.0.1                      
tcp       80 

   

I forgot to mention that
this should be put to rules file, sorry.  

   









Von: Michael Weickel
- iQom Business Services GmbH [mailto:mw@iqom.de] 

Gesendet: Dienstag, 2. Februar
2010 17:37

An: ''Shorewall Users''

Betreff: AW: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   

No. 

   

For example. If you want
to grant access from net (whole internet) to dmz´s webserver with internal ip
192.168.0.1 then you should do 

   

net      
dmz:192.168.0.1                      
tcp       80 

   

But if you had a running
config before it is quite hard to believe that the config changed itself in a
way that it does not work anymore. 

However, above mentioned
config will grant access from world to dmz host 192.168.0.1 but only limited to
tcp port 80 which is commonly known as www (http).  

   

If you want to grant
access not from world but from known group you can say net:1.2.3.4 which makes
it possible to grant access only to 1.2.3.4 (coming from world) instead of all
from world.  

   

Statements with “all”
such as ‘all accept accept’ are always bad. The only thing one should have with
all is a deny/drop. However, all accept accept does not sound like a familiar
syntax in each known Shorewall config file since it is always zone zone action
(for example in policy) 

   

Try my above mentioned
line. And again, messages output while you try to access to or from dmz would
be great (if sth. Is logged) 

   

Give another mail for
further questions.  

   









Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk] 

Gesendet: Dienstag, 2. Februar
2010 17:07

An: Shorewall Users

Betreff: Re: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   


 
  
  You mean DMZ should 

  

  all accept accept ?

  

  --- 2010年2月2日
  星期二，Michael Weickel - iQom Business Services
  GmbH <mw@iqom.de> 寫道﹕ 
  

  寄件人:
  Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

  主題:
  Re: [Shorewall-users] Suddenly DMZ can''t access to internet

  收件人:
  "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

  日期:
  2010年2月2日,星期二,下午11:57 
  
  
  To know that it worked before is a quite
  important comment.  
  However, I think if you want to NAT from
  untrusted to dmz you should investigate rules.  
  Policies should not have anything to do with it
  since this would globally open dmz for untrusted without a chance to
  influence proto and port.  
    
  
  
  
  
  Von: Wilson Kwok
  [mailto:leiw324@yahoo.com.hk] 

  Gesendet: Dienstag, 2. Februar
  2010 16:50

  An: Shorewall Users

  Betreff: Re: [Shorewall-users]
  Suddenly DMZ can''t access to internet 
  
    
  
   
    
    I
    never set routing between them, but it previous work find.

    

    I mean they can access one server by one public address.

    

    I think I have to check policy and rules.

    

    --- 2010年2月2日
    星期二，Michael Weickel - iQom Business
    Services GmbH <mw@iqom.de>
    寫道﹕ 
    

    寄件人:
    Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

    主題:
    Re: [Shorewall-users] Suddenly DMZ can''t access to internet

    收件人:
    "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

    日期:
    2010年2月2日,星期二,下午7:25 
    
    
    If loc can access wan this is because
    you have a default route (0.0.0.0/0) from loc clients to loc interface and
    from firewall to wan-router (normally provided by your isp) 
    If loc can access dmz this is either
    because dmz clients have a static route back to loc or a default route to
    firewalls dmz interface (since loc has a default route there is no need to
    describe the way to the dmz but a need to explain your dmz to return, this
    can be done by static or default route) 
      
    If dmz has default route to firewalls
    dmz interface than routing is fine. In this case I guess rules or policy is
    wrong.  
      
    In internal can access public ip (what
    do you mean? Public wan oder publc dmz?) this say nothing about why dmz is
    not working.  
      
    
    
    
    
    Von: Wilson Kwok
    [mailto:leiw324@yahoo.com.hk] 

    Gesendet: Dienstag, 2. Februar
    2010 12:19

    An: Shorewall Users

    Betreff: Re: [Shorewall-users]
    Suddenly DMZ can''t access to internet 
    
      
    
     
      
      That''s
      odd, internal can access one of public IP ....

      

      

      

      --- 2010年2月2日
      星期二，Michael Weickel - iQom Business
      Services GmbH <mw@iqom.de>
      寫道﹕ 
      

      寄件人:
      Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

      主題:
      Re: [Shorewall-users] Suddenly DMZ can''t access to internet

      收件人:
      "''Shorewall Users''"
      <shorewall-users@lists.sourceforge.net>

      日期:
      2010年2月2日,星期二,下午5:50 
      
      
      Either you maybe do
      only have a static route between dmz clients and loc but no default route
      or maybe something is wrong with your rules or policies.  
      Does your policy
      file logs all all drop and net all drop? If yes, what do you see in your
      messages? 
        
        
      Cheers 
      Mike 
        
      
      
      
      
      Von: Wilson Kwok
      [mailto:leiw324@yahoo.com.hk] 

      Gesendet: Dienstag, 2.
      Februar 2010 10:45

      An:
      shorewall-users@lists.sourceforge.net

      Betreff: [Shorewall-users]
      Suddenly DMZ can''t access to internet 
      
        
      
       
        
        Hello

        

        We are using old version ( shorewall-3.0.7-1) with Centos 5.3

        

        The shorewall has three zones (net / loc / dmz). 

        

        Loc can access to internet with no problem and can access to DMZ.

        

        DMZ can''t access to internet.

        

        Net can''t access to DMZ with NAT.

        

        I tried to restart the machine / check Lan card / check cable , they
        were work find.

        

        Is it DMZ Lan card problem? but it can start at Centos ...

        

        Thanks !! 
        
       
      
        
      
      
      
      Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
      
      
      

      -----內含下列附件----- 
      
     
------------------------------------------------------------------------------

      The Planet: dedicated and managed hosting, cloud storage, colocation

      Stay online with enterprise data centers and the best network in the
      business

      Choose flexible plans and management services without long-term contracts

      Personal 24x7 support from experience hosting pros just a phone call
      away.

      http://p.sf.net/sfu/theplanet-com 
      
      

      -----內含下列附件----- 
      
      _______________________________________________

      Shorewall-users mailing list

      Shorewall-users@lists.sourceforge.net

      https://lists.sourceforge.net/lists/listinfo/shorewall-users 
      
      
     
    
      
    
    
    
    Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
    
    
    

    -----內含下列附件----- 
    
   
------------------------------------------------------------------------------

    The Planet: dedicated and managed hosting, cloud storage, colocation

    Stay online with enterprise data centers and the best network in the
    business

    Choose flexible plans and management services without long-term contracts

    Personal 24x7 support from experience hosting pros just a phone call away.

    http://p.sf.net/sfu/theplanet-com 
    
    

    -----內含下列附件----- 
    
    _______________________________________________

    Shorewall-users mailing list

    Shorewall-users@lists.sourceforge.net

    https://lists.sourceforge.net/lists/listinfo/shorewall-users 
    
    
   
  
    
  
  
  
  Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
  
  
  

  -----內含下列附件----- 
  
  ------------------------------------------------------------------------------

  The Planet: dedicated and managed hosting, cloud storage, colocation

  Stay online with enterprise data centers and the best network in the business

  Choose flexible plans and management services without long-term contracts

  Personal 24x7 support from experience hosting pros just a phone call away.

  http://p.sf.net/sfu/theplanet-com 
  
  

  -----內含下列附件----- 
  
  _______________________________________________

  Shorewall-users mailing list

  Shorewall-users@lists.sourceforge.net

  https://lists.sourceforge.net/lists/listinfo/shorewall-users 
  
  
 


   







Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 



 

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I just checked something:
 
1. Two DMZ IIS server has can''t ping to  internet problem, they are win
2000 and win 2003.
 
2. If I change their IP, they can ping to internet and then shorewall restart
that they can''t ping to internet again...

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:38








net       dmz:192.168.0.1                       tcp       80
 
I forgot to mention that this should be put to rules file, sorry. 
 




Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] 
Gesendet: Dienstag, 2. Februar 2010 17:37
An: ''Shorewall Users''
Betreff: AW: [Shorewall-users] Suddenly DMZ can''t access to internet
 
No.
 
For example. If you want to grant access from net (whole internet) to dmz´s
webserver with internal ip 192.168.0.1 then you should do
 
net       dmz:192.168.0.1                       tcp       80
 
But if you had a running config before it is quite hard to believe that the
config changed itself in a way that it does not work anymore.
However, above mentioned config will grant access from world to dmz host
192.168.0.1 but only limited to tcp port 80 which is commonly known as www
(http).
 
If you want to grant access not from world but from known group you can say
net:1.2.3.4 which makes it possible to grant access only to 1.2.3.4 (coming from
world) instead of all from world.
 
Statements with “all” such as ‘all accept accept’ are always bad. The only thing
one should have with all is a deny/drop. However, all accept accept does not
sound like a familiar syntax in each known Shorewall config file since it is
always zone zone action (for example in policy)
 
Try my above mentioned line. And again, messages output while you try to access
to or from dmz would be great (if sth. Is logged)
 
Give another mail for further questions. 
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 17:07
An: Shorewall Users
Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
 




You mean DMZ should 

all accept accept ?

--- 2010年2月2日 星期二，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午11:57


To know that it worked before is a quite important comment. 
However, I think if you want to NAT from untrusted to dmz you should investigate
rules.
Policies should not have anything to do with it since this would globally open
dmz for untrusted without a chance to influence proto and port.
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 16:50
An: Shorewall Users
Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
 




I never set routing between them, but it previous work find.

I mean they can access one server by one public address.

I think I have to check policy and rules.

--- 2010年2月2日 星期二，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午7:25


If loc can access wan this is because you have a default route (0.0.0.0/0) from
loc clients to loc interface and from firewall to wan-router (normally provided
by your isp)
If loc can access dmz this is either because dmz clients have a static route
back to loc or a default route to firewalls dmz interface (since loc has a
default route there is no need to describe the way to the dmz but a need to
explain your dmz to return, this can be done by static or default route)
 
If dmz has default route to firewalls dmz interface than routing is fine. In
this case I guess rules or policy is wrong.
 
In internal can access public ip (what do you mean? Public wan oder publc dmz?)
this say nothing about why dmz is not working.
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 12:19
An: Shorewall Users
Betreff: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
 




That''s odd, internal can access one of public IP ....



--- 2010年2月2日 星期二，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月2日,星期二,下午5:50


Either you maybe do only have a static route between dmz clients and loc but no
default route or maybe something is wrong with your rules or policies.
Does your policy file logs all all drop and net all drop? If yes, what do you
see in your messages?
 
 
Cheers
Mike
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Dienstag, 2. Februar 2010 10:45
An: shorewall-users@lists.sourceforge.net
Betreff: [Shorewall-users] Suddenly DMZ can''t access to internet
 




Hello

We are using old version ( shorewall-3.0.7-1) with Centos 5.3

The shorewall has three zones (net / loc / dmz). 

Loc can access to internet with no problem and can access to DMZ.

DMZ can''t access to internet.

Net can''t access to DMZ with NAT.

I tried to restart the machine / check Lan card / check cable , they were work
find.

Is it DMZ Lan card problem? but it can start at Centos ...

Thanks !!
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多
-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I think local lan has two computer got virus attacking firewall:

Feb  2 15:36:01 shorewall kernel: Shorewall:loc2fw:ACCEPT:IN=eth1 OUT=
MAC=01:00:5e:00:00:fb:00:26:b0:b1:94:08:08:00 SRC=172.16.0.34 DST=224.0.0.251
LEN=94 TOS=0x00 PREC=0x00 TTL=255 ID=30024 PROTO=UDP SPT=5353 DPT=5353 LEN=74
Feb  2 15:36:01 shorewall avahi-daemon[6670]: Invalid query packet.

Feb  2 10:54:51 shorewall kernel: Shorewall:loc2fw:ACCEPT:IN=eth1 OUT=
MAC=01:00:5e:00:00:fb:64:b9:e8:3b:72:8e:08:00 SRC=172.16.0.175 DST=224.0.0.251
LEN=103 TOS=0x00 PREC=0x00 TTL=255 ID=4899 PROTO=UDP SPT=5353 DPT=5353 LEN=83
Feb  2 10:54:51 shorewall avahi-daemon[6670]: Invalid query packet.

Feb  2 08:10:06 shorewall kernel: Shorewall:loc2fw:ACCEPT:IN=eth1 OUT=
MAC=01:00:5e:00:00:fb:64:b9:e8:58:a7:57:08:00 SRC=172.16.0.44 DST=224.0.0.251
LEN=95 TOS=0x00 PREC=0x00 TTL=255 ID=39959 PROTO=UDP SPT=5353 DPT=5353 LEN=75
Feb  2 08:10:06 shorewall avahi-daemon[6670]: Invalid query packet.



--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: [Shorewall-users] WG:  Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:38




 
 







net      
dmz:192.168.0.1                      
tcp       80 

   

I forgot to mention that
this should be put to rules file, sorry.  

   









Von: Michael Weickel
- iQom Business Services GmbH [mailto:mw@iqom.de] 

Gesendet: Dienstag, 2. Februar
2010 17:37

An: ''Shorewall Users''

Betreff: AW: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   

No. 

   

For example. If you want
to grant access from net (whole internet) to dmz´s webserver with internal ip
192.168.0.1 then you should do 

   

net      
dmz:192.168.0.1                      
tcp       80 

   

But if you had a running
config before it is quite hard to believe that the config changed itself in a
way that it does not work anymore. 

However, above mentioned
config will grant access from world to dmz host 192.168.0.1 but only limited to
tcp port 80 which is commonly known as www (http).  

   

If you want to grant
access not from world but from known group you can say net:1.2.3.4 which makes
it possible to grant access only to 1.2.3.4 (coming from world) instead of all
from world.  

   

Statements with “all”
such as ‘all accept accept’ are always bad. The only thing one should have with
all is a deny/drop. However, all accept accept does not sound like a familiar
syntax in each known Shorewall config file since it is always zone zone action
(for example in policy) 

   

Try my above mentioned
line. And again, messages output while you try to access to or from dmz would
be great (if sth. Is logged) 

   

Give another mail for
further questions.  

   









Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk] 

Gesendet: Dienstag, 2. Februar
2010 17:07

An: Shorewall Users

Betreff: Re: [Shorewall-users]
Suddenly DMZ can''t access to internet 



   


 
  
  You mean DMZ should 

  

  all accept accept ?

  

  --- 2010年2月2日
  星期二，Michael Weickel - iQom Business Services
  GmbH <mw@iqom.de> 寫道﹕ 
  

  寄件人:
  Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

  主題:
  Re: [Shorewall-users] Suddenly DMZ can''t access to internet

  收件人:
  "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

  日期:
  2010年2月2日,星期二,下午11:57 
  
  
  To know that it worked before is a quite
  important comment.  
  However, I think if you want to NAT from
  untrusted to dmz you should investigate rules.  
  Policies should not have anything to do with it
  since this would globally open dmz for untrusted without a chance to
  influence proto and port.  
    
  
  
  
  
  Von: Wilson Kwok
  [mailto:leiw324@yahoo.com.hk] 

  Gesendet: Dienstag, 2. Februar
  2010 16:50

  An: Shorewall Users

  Betreff: Re: [Shorewall-users]
  Suddenly DMZ can''t access to internet 
  
    
  
   
    
    I
    never set routing between them, but it previous work find.

    

    I mean they can access one server by one public address.

    

    I think I have to check policy and rules.

    

    --- 2010年2月2日
    星期二，Michael Weickel - iQom Business
    Services GmbH <mw@iqom.de>
    寫道﹕ 
    

    寄件人:
    Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

    主題:
    Re: [Shorewall-users] Suddenly DMZ can''t access to internet

    收件人:
    "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

    日期:
    2010年2月2日,星期二,下午7:25 
    
    
    If loc can access wan this is because
    you have a default route (0.0.0.0/0) from loc clients to loc interface and
    from firewall to wan-router (normally provided by your isp) 
    If loc can access dmz this is either
    because dmz clients have a static route back to loc or a default route to
    firewalls dmz interface (since loc has a default route there is no need to
    describe the way to the dmz but a need to explain your dmz to return, this
    can be done by static or default route) 
      
    If dmz has default route to firewalls
    dmz interface than routing is fine. In this case I guess rules or policy is
    wrong.  
      
    In internal can access public ip (what
    do you mean? Public wan oder publc dmz?) this say nothing about why dmz is
    not working.  
      
    
    
    
    
    Von: Wilson Kwok
    [mailto:leiw324@yahoo.com.hk] 

    Gesendet: Dienstag, 2. Februar
    2010 12:19

    An: Shorewall Users

    Betreff: Re: [Shorewall-users]
    Suddenly DMZ can''t access to internet 
    
      
    
     
      
      That''s
      odd, internal can access one of public IP ....

      

      

      

      --- 2010年2月2日
      星期二，Michael Weickel - iQom Business
      Services GmbH <mw@iqom.de>
      寫道﹕ 
      

      寄件人:
      Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

      主題:
      Re: [Shorewall-users] Suddenly DMZ can''t access to internet

      收件人:
      "''Shorewall Users''"
      <shorewall-users@lists.sourceforge.net>

      日期:
      2010年2月2日,星期二,下午5:50 
      
      
      Either you maybe do
      only have a static route between dmz clients and loc but no default route
      or maybe something is wrong with your rules or policies.  
      Does your policy
      file logs all all drop and net all drop? If yes, what do you see in your
      messages? 
        
        
      Cheers 
      Mike 
        
      
      
      
      
      Von: Wilson Kwok
      [mailto:leiw324@yahoo.com.hk] 

      Gesendet: Dienstag, 2.
      Februar 2010 10:45

      An:
      shorewall-users@lists.sourceforge.net

      Betreff: [Shorewall-users]
      Suddenly DMZ can''t access to internet 
      
        
      
       
        
        Hello

        

        We are using old version ( shorewall-3.0.7-1) with Centos 5.3

        

        The shorewall has three zones (net / loc / dmz). 

        

        Loc can access to internet with no problem and can access to DMZ.

        

        DMZ can''t access to internet.

        

        Net can''t access to DMZ with NAT.

        

        I tried to restart the machine / check Lan card / check cable , they
        were work find.

        

        Is it DMZ Lan card problem? but it can start at Centos ...

        

        Thanks !! 
        
       
      
        
      
      
      
      Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
      
      
      

      -----內含下列附件----- 
      
     
------------------------------------------------------------------------------

      The Planet: dedicated and managed hosting, cloud storage, colocation

      Stay online with enterprise data centers and the best network in the
      business

      Choose flexible plans and management services without long-term contracts

      Personal 24x7 support from experience hosting pros just a phone call
      away.

      http://p.sf.net/sfu/theplanet-com 
      
      

      -----內含下列附件----- 
      
      _______________________________________________

      Shorewall-users mailing list

      Shorewall-users@lists.sourceforge.net

      https://lists.sourceforge.net/lists/listinfo/shorewall-users 
      
      
     
    
      
    
    
    
    Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
    
    
    

    -----內含下列附件----- 
    
   
------------------------------------------------------------------------------

    The Planet: dedicated and managed hosting, cloud storage, colocation

    Stay online with enterprise data centers and the best network in the
    business

    Choose flexible plans and management services without long-term contracts

    Personal 24x7 support from experience hosting pros just a phone call away.

    http://p.sf.net/sfu/theplanet-com 
    
    

    -----內含下列附件----- 
    
    _______________________________________________

    Shorewall-users mailing list

    Shorewall-users@lists.sourceforge.net

    https://lists.sourceforge.net/lists/listinfo/shorewall-users 
    
    
   
  
    
  
  
  
  Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
  
  
  

  -----內含下列附件----- 
  
  ------------------------------------------------------------------------------

  The Planet: dedicated and managed hosting, cloud storage, colocation

  Stay online with enterprise data centers and the best network in the business

  Choose flexible plans and management services without long-term contracts

  Personal 24x7 support from experience hosting pros just a phone call away.

  http://p.sf.net/sfu/theplanet-com 
  
  

  -----內含下列附件----- 
  
  _______________________________________________

  Shorewall-users mailing list

  Shorewall-users@lists.sourceforge.net

  https://lists.sourceforge.net/lists/listinfo/shorewall-users 
  
  
 


   







Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 



 

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕

寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG:  Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Le 3 févr. 2010 à 07:54, Wilson Kwok <leiw324@yahoo.com.hk> a écrit :
> I just changed NAT IP to another NAT IP:
>
> original: x.x.214.100    192.168.0.6
>
> changed: x.x.214.101  192.168.0.6
>
> Internet can access to web by x.x.214.101
>
> What''s this problem?
>

Hi


Did you try a tcpdump on external interface while trying to nat to x.y. 
214.100?

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Does x.x.214.101 represent your new ''original destination’ in rules
file?

 

If yes, this sounds like a hierarchy problem in your rules file where
another rule may applied before the one you want.

 

For example.

 

DNAT   net       dmz:192.168.0.7           tcp       80        -
x.x.214.101

DNAT   net       dmz:192.168.0.6           tcp       80        -
x.x.214.101

 

This would mean, that a http request to your original destination will
always apply the NAT to 192.168.0.7 because its more near to the top of the
file. 

 

Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more
than one tcp 80 rule this could be your problem. If you do the same with
214.101 and see only one tcp 80 rule you have your answer. 

 

 

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----

----------------------------------------------------------------------------
--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客!
<http://hk.promo.yahoo.com/security/> 了解更多



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I dont'' have DNAT rules, only have the following rules for
192.168.0.14:
 
HTTP/ACCEPT     net             dmz:192.168.0.14
remote/ACCEPT   net             dmz:192.168.0.14
 
Thanks


--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37








Does x.x.214.101 represent your new ‚original destination’ in rules file?
 
If yes, this sounds like a hierarchy problem in your rules file where another
rule may applied before the one you want.
 
For example.
 
DNAT   net       dmz:192.168.0.7           tcp       80        -          
x.x.214.101
DNAT   net       dmz:192.168.0.6           tcp       80        -          
x.x.214.101
 
This would mean, that a http request to your original destination will always
apply the NAT to 192.168.0.7 because its more near to the top of the file.
 
Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than
one tcp 80 rule this could be your problem. If you do the same with 214.101 and
see only one tcp 80 rule you have your answer.
 
 
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet
 




I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕

寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多
-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

If I change the NAT x.x.214.101  to another local lan IP 172.16.1.249 client
computer , this computer can''t access to internet .....
 
Thanks 


 


--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37








Does x.x.214.101 represent your new ‚original destination’ in rules file?
 
If yes, this sounds like a hierarchy problem in your rules file where another
rule may applied before the one you want.
 
For example.
 
DNAT   net       dmz:192.168.0.7           tcp       80        -          
x.x.214.101
DNAT   net       dmz:192.168.0.6           tcp       80        -          
x.x.214.101
 
This would mean, that a http request to your original destination will always
apply the NAT to 192.168.0.7 because its more near to the top of the file.
 
Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than
one tcp 80 rule this could be your problem. If you do the same with 214.101 and
see only one tcp 80 rule you have your answer.
 
 
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet
 




I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕

寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多
-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

This really sounds like routing issues. Maybe subnet mask or sth. like that. I
think its time to follow Tom´s offer to give a Shorewall dump as described in
the troubleshooting phase on  <http://www.shorewall.net/>
www.shorewall.net

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 11:17
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


If I change the NAT x.x.214.101  to another local lan IP 172.16.1.249 client
computer , this computer can''t access to internet .....

 

Thanks 

 

 



--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37

Does x.x.214.101 represent your new ‚original destination’ in rules file?

 

If yes, this sounds like a hierarchy problem in your rules file where another
rule may applied before the one you want.

 

For example.

 

DNAT   net       dmz:192.168.0.7           tcp       80        -          
x.x.214.101

DNAT   net       dmz:192.168.0.6           tcp       80        -          
x.x.214.101

 

This would mean, that a http request to your original destination will always
apply the NAT to 192.168.0.7 because its more near to the top of the file.

 

Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than
one tcp 80 rule this could be your problem. If you do the same with 214.101 and
see only one tcp 80 rule you have your answer.

 

 

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
 <http://shorewall.net/> http://shorewall.net
\________________________________________________


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
 <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
 <http://p.sf.net/sfu/theplanet-com> http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
 <http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net>
Shorewall-users@lists.sourceforge.net
 <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I forget send to which email address for shorewall tcpdump.

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午6:45








This really sounds like routing issues. Maybe subnet mask or sth. like that. I
think its time to follow Tom´s offer to give a Shorewall dump as described in
the troubleshooting phase on www.shorewall.net
 



Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 11:17
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet
 





If I change the NAT x.x.214.101  to another local lan IP 172.16.1.249 client
computer , this computer can''t access to internet .....

 

Thanks 

 

 



--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37


Does x.x.214.101 represent your new ‚original destination’ in rules file?
 
If yes, this sounds like a hierarchy problem in your rules file where another
rule may applied before the one you want.
 
For example.
 
DNAT   net       dmz:192.168.0.7           tcp       80        -          
x.x.214.101
DNAT   net       dmz:192.168.0.6           tcp       80        -          
x.x.214.101
 
This would mean, that a http request to your original destination will always
apply the NAT to 192.168.0.7 because its more near to the top of the file.
 
Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than
one tcp 80 rule this could be your problem. If you do the same with 214.101 and
see only one tcp 80 rule you have your answer.
 
 
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet
 




I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕

寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多
-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Do you think is ISP problem ?

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午6:45








This really sounds like routing issues. Maybe subnet mask or sth. like that. I
think its time to follow Tom´s offer to give a Shorewall dump as described in
the troubleshooting phase on www.shorewall.net
 



Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 11:17
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet
 





If I change the NAT x.x.214.101  to another local lan IP 172.16.1.249 client
computer , this computer can''t access to internet .....

 

Thanks 

 

 



--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37


Does x.x.214.101 represent your new ‚original destination’ in rules file?
 
If yes, this sounds like a hierarchy problem in your rules file where another
rule may applied before the one you want.
 
For example.
 
DNAT   net       dmz:192.168.0.7           tcp       80        -          
x.x.214.101
DNAT   net       dmz:192.168.0.6           tcp       80        -          
x.x.214.101
 
This would mean, that a http request to your original destination will always
apply the NAT to 192.168.0.7 because its more near to the top of the file.
 
Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than
one tcp 80 rule this could be your problem. If you do the same with 214.101 and
see only one tcp 80 rule you have your answer.
 
 
 




Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet
 




I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕

寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
 



Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多
-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

If x.x.214.101 is part of your provider aggregated space I do not believe that
it’s a provider issue. You can easily check this by tracing from a foreign host
to your ip and see if your provider routes it to your shorewall.

Further I am a bit confuses that you have now two local subnets 192.168.0.x and
172.16.1.x. Are both subnets on the Shorewall´s phy dmz interface?

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 12:01
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


Do you think is ISP problem ?

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午6:45

This really sounds like routing issues. Maybe subnet mask or sth. like that. I
think its time to follow Tom´s offer to give a Shorewall dump as described in
the troubleshooting phase on  <http://www.shorewall.net/>
www.shorewall.net

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 11:17
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


If I change the NAT x.x.214.101  to another local lan IP 172.16.1.249 client
computer , this computer can''t access to internet .....

 

Thanks 

 

 



--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37

Does x.x.214.101 represent your new ‚original destination’ in rules file?

 

If yes, this sounds like a hierarchy problem in your rules file where another
rule may applied before the one you want.

 

For example.

 

DNAT   net       dmz:192.168.0.7           tcp       80        -          
x.x.214.101

DNAT   net       dmz:192.168.0.6           tcp       80        -          
x.x.214.101

 

This would mean, that a http request to your original destination will always
apply the NAT to 192.168.0.7 because its more near to the top of the file.

 

Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than
one tcp 80 rule this could be your problem. If you do the same with 214.101 and
see only one tcp 80 rule you have your answer.

 

 

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net <http://shorewall.net/> 
\________________________________________________


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
<http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
<http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Use the list one

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 12:01
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


I forget send to which email address for shorewall tcpdump.

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午6:45

This really sounds like routing issues. Maybe subnet mask or sth. like that. I
think its time to follow Tom´s offer to give a Shorewall dump as described in
the troubleshooting phase on  <http://www.shorewall.net/>
www.shorewall.net

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 11:17
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


If I change the NAT x.x.214.101  to another local lan IP 172.16.1.249 client
computer , this computer can''t access to internet .....

 

Thanks 

 

 



--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37

Does x.x.214.101 represent your new ‚original destination’ in rules file?

 

If yes, this sounds like a hierarchy problem in your rules file where another
rule may applied before the one you want.

 

For example.

 

DNAT   net       dmz:192.168.0.7           tcp       80        -          
x.x.214.101

DNAT   net       dmz:192.168.0.6           tcp       80        -          
x.x.214.101

 

This would mean, that a http request to your original destination will always
apply the NAT to 192.168.0.7 because its more near to the top of the file.

 

Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than
one tcp 80 rule this could be your problem. If you do the same with 214.101 and
see only one tcp 80 rule you have your answer.

 

 

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to
internet

 


I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What''s this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.
And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn''t even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of ''shorewall dump''
but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net <http://shorewall.net/> 
\________________________________________________


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
<http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
<http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I have three inerface loc / net / dmz , I will send the shorewall dump tmr.

Thanks !

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH
<mw@iqom.de> 寫道﹕

寄件人: Michael Weickel - iQom Business Services GmbH <mw@iqom.de>
主題: Re: [Shorewall-users] WG:  Suddenly DMZ can''t access to internet
收件人: "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午7:07




 
 







If x.x.214.101 is part of
your provider aggregated space I do not believe that it’s a provider issue. You
can easily check this by tracing from a foreign host to your ip and see if your
provider routes it to your shorewall.  

Further I am a bit
confuses that you have now two local subnets 192.168.0.x and 172.16.1.x. Are
both subnets on the Shorewall´s phy dmz interface? 

   







Von: Wilson Kwok
[mailto:leiw324@yahoo.com.hk] 

Gesendet: Mittwoch, 3. Februar
2010 12:01

An: Shorewall Users

Betreff: Re: [Shorewall-users] WG:
Suddenly DMZ can''t access to internet 

   


 
  
  Do you think is ISP problem ?

  

  --- 2010年2月3日
  星期三，Michael Weickel - iQom Business Services
  GmbH <mw@iqom.de> 寫道﹕ 
  

  寄件人:
  Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

  主題:
  Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet

  收件人:
  "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

  日期:
  2010年2月3日,星期三,下午6:45 
  
  
  This really sounds like routing issues. Maybe
  subnet mask or sth. like that. I think its time to follow Tom´s offer to give
  a Shorewall dump as described in the troubleshooting phase on
www.shorewall.net
  
    
  
  
  
  
  Von: Wilson Kwok
  [mailto:leiw324@yahoo.com.hk] 

  Gesendet: Mittwoch, 3. Februar
  2010 11:17

  An: Shorewall Users

  Betreff: Re: [Shorewall-users]
  WG: Suddenly DMZ can''t access to internet 
    
  
   
    
    
    If
    I change the NAT x.x.214.101  to another local lan IP
    172.16.1.249 client computer , this computer can''t access to
internet .....
    
    
      
    
    
    Thanks
     
    
    
      
    
    
      
    
    
    

    

    --- 2010年2月3日
    星期三，Michael Weickel - iQom Business
    Services GmbH <mw@iqom.de>
    寫道﹕ 
    
    
    

    寄件人:
    Michael Weickel - iQom Business Services GmbH <mw@iqom.de>

    主題:
    Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet

    收件人:
    "''Shorewall Users''"
<shorewall-users@lists.sourceforge.net>

    日期:
    2010年2月3日,星期三,下午3:37 
    
    
    
    Does x.x.214.101 represent your new
    ‚original destination’ in rules file? 
    
    
      
    If yes, this sounds like a hierarchy
    problem in your rules file where another rule may applied before the one
    you want. 
      
    For example. 
      
    DNAT  
    net       dmz:192.168.0.7          
    tcp      
    80       
    -           x.x.214.101 
    DNAT  
    net      
    dmz:192.168.0.6          
    tcp      
    80       
    -           x.x.214.101 
      
    This would mean, that a http request
    to your original destination will always apply the NAT to 192.168.0.7
because
    its more near to the top of the file.  
      
    Go to /etc/shorewall and do a ‘cat
    rules | grep 214.100’ if you see more than one tcp 80 rule this could be
    your problem. If you do the same with 214.101 and see only one tcp 80 rule
    you have your answer.  
      
      
      
    
    
    
    
    Von: Wilson Kwok
    [mailto:leiw324@yahoo.com.hk] 

    Gesendet: Mittwoch, 3. Februar
    2010 07:54

    An: Shorewall Users

    Betreff: Re: [Shorewall-users]
    WG: Suddenly DMZ can''t access to internet 
    
      
    
     
      
      I
      just changed NAT IP to another NAT IP:

      

      original: x.x.214.100    192.168.0.6

      

      changed: x.x.214.101  192.168.0.6

      

      Internet can access to web by x.x.214.101

      

      What''s this problem?

      

      Thanks !

      

      --- 2010年2月3日
      星期三，Tom Eastep <teastep@shorewall.net> 寫道﹕ 
      

      寄件人:
      Tom Eastep <teastep@shorewall.net>

      主題:
      Re: [Shorewall-users] WG: Suddenly DMZ can''t access to internet

      收件人:
      "Shorewall Users" <shorewall-users@lists.sourceforge.net>

      日期:
      2010年2月3日,星期三,上午12:57 
      
      Michael
      Weickel - iQom Business Services GmbH wrote:

      > net       dmz:192.168.0.1   
                         tcp 
           80

      > 

      >  

      > 

      > I forgot to mention that this should be put to rules file, sorry.

      

      And you probably wanted

      

      DNAT    net   
      dmz:192.168.0.1    tcp    80

      

      But randomly changing the rules without understanding what the real

      problem is seems unwise. Wilson doesn''t even know if the problem
has

      anything to do with Shorewall.

      

      I repeat my offer to look at the output of ''shorewall
dump'' but I must

      do it in the next 30 minutes because the rest of my day is full with

      meetings.

      

      -Tom

      -- 

      Tom Eastep        \ When I die, I want to go like my
      Grandfather who

      Shoreline,         \ died peacefully in his
      sleep. Not screaming like

      Washington, USA     \ all of the passengers in his
      car

      http://shorewall.net
      \________________________________________________ 
      
      

      -----內含下列附件----- 
      
     
------------------------------------------------------------------------------

      The Planet: dedicated and managed hosting, cloud storage, colocation

      Stay online with enterprise data centers and the best network in the
      business

      Choose flexible plans and management services without long-term contracts

      Personal 24x7 support from experience hosting pros just a phone call
      away.

      http://p.sf.net/sfu/theplanet-com 
      
      

      -----內含下列附件----- 
      
      _______________________________________________

      Shorewall-users mailing list

      Shorewall-users@lists.sourceforge.net

      https://lists.sourceforge.net/lists/listinfo/shorewall-users 
      
      
     
    
      
    
    
    
    Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
    

    -----內含下列附件----- 
    
   
------------------------------------------------------------------------------

    The Planet: dedicated and managed hosting, cloud storage, colocation

    Stay online with enterprise data centers and the best network in the
    business

    Choose flexible plans and management services without long-term contracts

    Personal 24x7 support from experience hosting pros just a phone call away.

    http://p.sf.net/sfu/theplanet-com 
    
    

    -----內含下列附件----- 
    
    _______________________________________________

    Shorewall-users mailing list

    Shorewall-users@lists.sourceforge.net

    https://lists.sourceforge.net/lists/listinfo/shorewall-users 
    
    
   
  
    
  
  
  
  Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 
  

  -----內含下列附件----- 
  
  ------------------------------------------------------------------------------

  The Planet: dedicated and managed hosting, cloud storage, colocation

  Stay online with enterprise data centers and the best network in the business

  Choose flexible plans and management services without long-term contracts

  Personal 24x7 support from experience hosting pros just a phone call away.

  http://p.sf.net/sfu/theplanet-com 
  
  

  -----內含下列附件----- 
  
  _______________________________________________

  Shorewall-users mailing list

  Shorewall-users@lists.sourceforge.net

  https://lists.sourceforge.net/lists/listinfo/shorewall-users 
  
  
 


   







Yahoo!香港提供網上安全攻略，教你如何防範黑客!了解更多 



 

-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com