Shorewall users - Feb 2010 - Two DMZ servers can't be access from internet and can't ping internet IP address.

Hello

We are using old version shorewall-3.0.7-1, hope you still can support this old
version.

Internet suddenly can''t access our two web servers, they are win2000
and win2003.
The win2000 also have FTP service. They also can''t ping to internet IP
address like
www.yahoo.com or www.gmail.com, but they can ping other DMZ servers.

The following are two servers NAT mapping:

Win2000: 210.0.214.118 > 192.168.0.6
               210.0.214.120 > 192.168.0.7

Win2003: 210.0.214.114 > 192.168.0.2
               210.0.214.127 > 192.168.0.14
               210.0.214.128 > 192.168.0.15

Internet can''t access 5 public IP addresses.

This problems are very odd, I had have to map 210.0.214.127 to 210.0.214.113
(another public IP address) that internet can access to web server by this IP
address. I also map 210.0.214.118 to 210.0.214.129 that internet can acccess to
web server by this IP address. If I change to map 210.0.214.113 to my loc
computer 172.16.1.249 that my computer will disconnect internet connection.

In this problems, I called our ISP provider to check whether they have been
changed something, but they said nothing have been changed, and then I try to
map back original 210.0.214.118 to 192.168.0.6 that suddenly can access to
internet and internet
can access to this Win2000 web server. But Win2003 still have this problem.

Thanks!






      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

On Thu, 2010-02-04 at 08:41 +0800, Wilson Kwok wrote:
> 
> This problems are very odd, I had have to map 210.0.214.127 to
> 210.0.214.113 (another public IP address) that internet can access to
> web server by this IP address. I also map 210.0.214.118 to
> 210.0.214.129 that internet can acccess to web server by this IP
> address. If I change to map 210.0.214.113 to my loc computer
> 172.16.1.249 that my computer will disconnect internet connection.
> 
> In this problems, I called our ISP provider to check whether they have
> been changed something, but they said nothing have been changed, and
> then I try to map back original 210.0.214.118 to 192.168.0.6 that
> suddenly can access to internet and internet
> can access to this Win2000 web server. But Win2003 still have this
> problem.
> 
Check your cabling -- it sounds to be as if you have connected eth2 and
eth0 to the same switch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

On Wed, 2010-02-03 at 19:13 -0800, Tom Eastep wrote:
> 
> Check your cabling -- it sounds to be as if you have connected eth2 and
> eth0 to the same switch.
> 
Make that "...it sounds to *me* as if ..."

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

On Wed, 2010-02-03 at 19:19 -0800, Tom Eastep wrote:
> On Wed, 2010-02-03 at 19:13 -0800, Tom Eastep wrote:
> > 
> > Check your cabling -- it sounds to be as if you have connected eth2
and
> > eth0 to the same switch.
> > 
> 
> Make that "...it sounds to *me* as if ..."
And actually, eth2 could be bridged to eth1 -- the point is that these
sorts of random problems with individual addresses are usually the 
result of an internal interface being bridged to your ''net''
interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I just checked net/loc/dmz physical cable connection correctly, I attached the
physical diagram.
 
Thanks !

--- 2010年2月4日 星期四，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月4日,星期四,上午11:58


On Wed, 2010-02-03 at 19:19 -0800, Tom Eastep wrote:
> On Wed, 2010-02-03 at 19:13 -0800, Tom Eastep wrote:
> > 
> > Check your cabling -- it sounds to be as if you have connected eth2
and
> > eth0 to the same switch.
> > 
> 
> Make that "...it sounds to *me* as if ..."
And actually, eth2 could be bridged to eth1 -- the point is that these
sorts of random problems with individual addresses are usually the 
result of an internal interface being bridged to your ''net''
interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I just tested telnet 80 port from internet to DMZ by 210.0.214.114, 124, they
can be telnet.
 
Thanks !

--- 2010年2月4日 星期四，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月4日,星期四,上午11:58


On Wed, 2010-02-03 at 19:19 -0800, Tom Eastep wrote:
> On Wed, 2010-02-03 at 19:13 -0800, Tom Eastep wrote:
> > 
> > Check your cabling -- it sounds to be as if you have connected eth2
and
> > eth0 to the same switch.
> > 
> 
> Make that "...it sounds to *me* as if ..."
And actually, eth2 could be bridged to eth1 -- the point is that these
sorts of random problems with individual addresses are usually the 
result of an internal interface being bridged to your ''net''
interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Wilson Kwok wrote:
> I just checked net/loc/dmz physical cable connection correctly, I
> attached the physical diagram.
You can rule out that sort of problem by setting ''arp_filter''
on each of
your interfaces. It will take a while for all IP addresses to begin
behaving normally again, if there is a bridging issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Why suddenly have bridging issue ??

--- 2010年2月4日 星期四，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月4日,星期四,下午11:02


Wilson Kwok wrote:
> I just checked net/loc/dmz physical cable connection correctly, I
> attached the physical diagram.
You can rule out that sort of problem by setting ''arp_filter''
on each of
your interfaces. It will take a while for all IP addresses to begin
behaving normally again, if there is a bridging issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Wilson Kwok wrote:
> Why suddenly have bridging issue ??
Maybe you don''t. If the problem has gone away as indicated by your
later
email then I wouldn''t change anything. But if you find that other
individual IP address start having issues, then I would suspect bridging.

The last time that I helped a Shorewall user with this issue, he
eventually found a wireless router in a closet that was bridging two
LANs that it wasn''t supposed to be.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Hi
 
Where can setup ''arp_filter''  ? I can''t find it in
shorewall.conf.
 
Thanks !aaa

--- 2010年2月4日 星期四，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月4日,星期四,下午11:02


Wilson Kwok wrote:
> I just checked net/loc/dmz physical cable connection correctly, I
> attached the physical diagram.
You can rule out that sort of problem by setting ''arp_filter''
on each of
your interfaces. It will take a while for all IP addresses to begin
behaving normally again, if there is a bridging issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Wilson Kwok wrote:
> Hi
>  
> Where can setup ''arp_filter''  ? I can''t find it
in shorewall.conf.
It is an OPTION in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I just added "arp_filter option on each interface (net / loc / dmz) and
then "shorewall restart", the 192.168.0.14 > 210.0.214.127 still
can''t ping to internet by yahoo IP.
 
Thanks !

--- 2010年2月5日 星期五，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月5日,星期五,上午7:30


Wilson Kwok wrote:
> Hi
>  
> Where can setup ''arp_filter''  ? I can''t find it
in shorewall.conf.
It is an OPTION in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Do you think is lan card problem ?

--- 2010年2月5日 星期五，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月5日,星期五,上午7:30


Wilson Kwok wrote:
> Hi
>  
> Where can setup ''arp_filter''  ? I can''t find it
in shorewall.conf.
It is an OPTION in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I checked something by tcpdump and /var/log/message:
 
I used the following tcpdump command to check LOC interface that included
192.168.2.1
IP address ?? our LOC must don''t have this IP address.
 
tcpdump -i eth1 | grep 192.168.2.1 > tcpdump_log.txt
 
and checked /var/log/message found 172.16.0.22 using 192.168.2.1 IP for doing
something
 
Please find the attached log files.
 
Thank for help !!

--- 2010年2月5日 星期五，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月5日,星期五,上午7:30


Wilson Kwok wrote:
> Hi
>  
> Where can setup ''arp_filter''  ? I can''t find it
in shorewall.conf.
It is an OPTION in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Wilson Kwok wrote:
> I checked something by tcpdump and /var/log/message:
>  
> I used the following tcpdump command to check LOC interface that
> included 192.168.2.1
> IP address ?? our LOC must don''t have this IP address.
>  
It''s Multicast. Not involved in your problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Hello
 
What I have to do now? is the hardware problem ?
 
Thanks ! 

--- 2010年2月5日 星期五，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月5日,星期五,下午10:59


Wilson Kwok wrote:
> I checked something by tcpdump and /var/log/message:
>  
> I used the following tcpdump command to check LOC interface that
> included 192.168.2.1
> IP address ?? our LOC must don''t have this IP address.
>  
It''s Multicast. Not involved in your problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I just checked something again by tcpdump:
 
09:50:46.780780 IP 172.16.0.177.boinc-client > 124.40.51.145.nat-stun-port:
UDP, length 33

09:50:46.830262 IP 124.40.51.145.nat-stun-port > 172.16.0.177.boinc-client:
UDP, length 66

09:50:54.780885 IP 172.16.0.177.afrog > 96.17.157.44.nat-stun-port: UDP,
length 49

What is nat-stun-port?
 
Thanks !

--- 2010年2月5日 星期五，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月5日,星期五,下午10:59


Wilson Kwok wrote:
> I checked something by tcpdump and /var/log/message:
>  
> I used the following tcpdump command to check LOC interface that
> included 192.168.2.1
> IP address ?? our LOC must don''t have this IP address.
>  
It''s Multicast. Not involved in your problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

On Fri, 2010-02-05 at 17:34 -0800, Wilson Kwok wrote:
> Hello
>  
> What I have to do now? is the hardware problem ?
Wilson,

This is Super Bowl weekend here in the US. I will not be available all
weekend.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Hi Tom
 
Are you like Super Bowl ? 
 
I will wait you next week, and I also installing shorewall in another same
hardware machine for testing.
 
Thanks !

--- 2010年2月6日 星期六，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月6日,星期六,上午11:06


On Fri, 2010-02-05 at 17:34 -0800, Wilson Kwok wrote:
> Hello
>  
> What I have to do now? is the hardware problem ?
Wilson,

This is Super Bowl weekend here in the US. I will not be available all
weekend.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Stun is normally used to solve nat problems with SIP (VoiP)

VoIP telephones use a stun server beside the regular proxy where the stun
server makes it possible that the SIP phone can be behind a firewall  

 

  _____  

Von: Wilson Kwok [mailto:leiw324@yahoo.com.hk] 
Gesendet: Samstag, 6. Februar 2010 03:05
An: Shorewall Users
Betreff: Re: [Shorewall-users] Two DMZ servers can''t be access from
internetand can''t ping internet IP address.

 


I just checked something again by tcpdump:

 

09:50:46.780780 IP 172.16.0.177.boinc-client > 124.40.51.145.nat-stun-port:
UDP, length 33

09:50:46.830262 IP 124.40.51.145.nat-stun-port > 172.16.0.177.boinc-client:
UDP, length 66

09:50:54.780885 IP 172.16.0.177.afrog > 96.17.157.44.nat-stun-port: UDP,
length 49

What is nat-stun-port?

 

Thanks !

--- 2010年2月5日 星期五，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月5日,星期五,下午10:59

Wilson Kwok wrote:
> I checked something by tcpdump and /var/log/message:
>  
> I used the following tcpdump command to check LOC interface that
> included 192.168.2.1
> IP address ?? our LOC must don''t have this IP address.
>  
It''s Multicast. Not involved in your problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net <http://shorewall.net/>
\________________________________________________


-----內含下列附件-----

----------------------------------------------------------------------------
--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
<http://hk.mc191.mail.yahoo.com/mc/compose?to=Shorewall-users@lists.sourcefo
rge.net> 
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客!
<http://hk.promo.yahoo.com/security/> 了解更多



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Wilson Kwok wrote:
> Hi Tom
>  
> Are you like Super Bowl ?
Yes, indeed.
>  
> I will wait you next week, and I also installing shorewall in another
> same hardware machine for testing.
>
I would start at one of the internal servers that is having problems and:

a) ping 192.168.0.1. If that fails, you have a LAN connectivity issue.
b) ping 210.0.214.119. If that fails, most likely the cause is that the
system that you are pinging from has an incorrect default gateway setting.
c) ping 210.0.214.1. If that fails, look at the traffic with tcpdump; if
you are pinging from 192.168.0.14, then:

	tcpdump -nei eth2 host 210.0.214.127

If you see traffic going out but no traffic coming in, contact your ISP
for assistance. If you see traffic in both directions, check the link
layer (MAC) destination address in the response packets; is it the same
as the source MAC in the outgoing requests? If not, you have an
ARP/bridging issue. See the Shorewall Nat page
(http://www.shorewall.net/3.0/NAT.htm) for instructions for using arping
to try to eliminate the problem.

d) If pinging 210.0.214.1 works, then you have established that your
server can communicate as far as your ISP. If you can''t ping beyond
there BY IP ADDRESS, contact your ISP for help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Tom Eastep wrote:
> c) ping 210.0.214.1. If that fails, look at the traffic with tcpdump; if
> you are pinging from 192.168.0.14, then:
> 
> 	tcpdump -nei eth2 host 210.0.214.127
> 
> If you see traffic going out but no traffic coming in, contact your ISP
> for assistance. If you see traffic in both directions, check the link
> layer (MAC) destination address in the response packets; is it the same
> as the source MAC in the outgoing requests? If not, you have an
> ARP/bridging issue.
Note that http://www.shorewall.net/3.0/NAT.htm#id2479684 includes an
example which shows you how to find the source and destination MAC
addresses (the destination comes first followed by the source).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Hello Tom
 
1.) DMZ server that having problem can ping 192.168.0.1 and 210.0.214.119
 
2.) Our ISP blocked 210.0.214.1 ping long time ago.
 
What I should do now?
 
Thanks !

--- 2010年2月7日 星期日，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月7日,星期日,上午12:34


Wilson Kwok wrote:
> Hi Tom
>  
> Are you like Super Bowl ?
Yes, indeed.
>  
> I will wait you next week, and I also installing shorewall in another
> same hardware machine for testing.
>
I would start at one of the internal servers that is having problems and:

a) ping 192.168.0.1. If that fails, you have a LAN connectivity issue.
b) ping 210.0.214.119. If that fails, most likely the cause is that the
system that you are pinging from has an incorrect default gateway setting.
c) ping 210.0.214.1. If that fails, look at the traffic with tcpdump; if
you are pinging from 192.168.0.14, then:

    tcpdump -nei eth2 host 210.0.214.127

If you see traffic going out but no traffic coming in, contact your ISP
for assistance. If you see traffic in both directions, check the link
layer (MAC) destination address in the response packets; is it the same
as the source MAC in the outgoing requests? If not, you have an
ARP/bridging issue. See the Shorewall Nat page
(http://www.shorewall.net/3.0/NAT.htm) for instructions for using arping
to try to eliminate the problem.

d) If pinging 210.0.214.1 works, then you have established that your
server can communicate as far as your ISP. If you can''t ping beyond
there BY IP ADDRESS, contact your ISP for help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Wilson Kwok wrote:
> Hello Tom
>  
> 1.) DMZ server that having problem can ping 192.168.0.1 and 210.0.214.119
>  
> 2.) Our ISP blocked 210.0.214.1 ping long time ago.
>  
> What I should do now?
>  
Wilson -- please keep in mind that this is *your* problem, not mine. So
please don''t expect me to solve it for you.

I suggest that while running the same tcpdump command as I gave you in
the previous post, try pinging the external address (e.g.,
210.0.214.127) from an external internet host. If you don''t see the
packets, call your ISP.

If you see the packets and the destination MAC address isn''t
00:0a:cd:0f:66:bb, then proceed as described at
http://www.shorewall.net/3.0/NAT.htm#id2479684.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Hello Tom
 
I known this is my problem, it''s because I want to make sure not the
hardware problem before to use your methods.
 
Thanks !!

--- 2010年2月7日 星期日，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月7日,星期日,下午10:52


Wilson Kwok wrote:
> Hello Tom
>  
> 1.) DMZ server that having problem can ping 192.168.0.1 and 210.0.214.119
>  
> 2.) Our ISP blocked 210.0.214.1 ping long time ago.
>  
> What I should do now?
>  
Wilson -- please keep in mind that this is *your* problem, not mine. So
please don''t expect me to solve it for you.

I suggest that while running the same tcpdump command as I gave you in
the previous post, try pinging the external address (e.g.,
210.0.214.127) from an external internet host. If you don''t see the
packets, call your ISP.

If you see the packets and the destination MAC address isn''t
00:0a:cd:0f:66:bb, then proceed as described at
http://www.shorewall.net/3.0/NAT.htm#id2479684.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      Yahoo!香港提供網上安全攻略，教你如何防範黑客! 請前往 http://hk.promo.yahoo.com/security/ 了解更多!

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Hello Tom
 
I''m trying to ping 210.0.214.127 from external host, it''s
request time out, but I can ping 210.0.214.119, I accepted in policy and rules
file before try to ping.
 
Policy:
net             dmz              DROP            info
net             $FW             ACCEPT         info
net             loc                DROP            info
net             all                 DROP            info

Rules:
Ping/ACCEPT     net             $FW

Thanks !


--- 2010年2月7日 星期日，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月7日,星期日,下午10:52


Wilson Kwok wrote:
> Hello Tom
>  
> 1.) DMZ server that having problem can ping 192.168.0.1 and 210.0.214.119
>  
> 2.) Our ISP blocked 210.0.214.1 ping long time ago.
>  
> What I should do now?
>  
Wilson -- please keep in mind that this is *your* problem, not mine. So
please don''t expect me to solve it for you.

I suggest that while running the same tcpdump command as I gave you in
the previous post, try pinging the external address (e.g.,
210.0.214.127) from an external internet host. If you don''t see the
packets, call your ISP.

If you see the packets and the destination MAC address isn''t
00:0a:cd:0f:66:bb, then proceed as described at
http://www.shorewall.net/3.0/NAT.htm#id2479684.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

On Tue, 2010-02-09 at 08:24 +0800, Wilson Kwok wrote:
> Hello Tom
>  
> I''m trying to ping 210.0.214.127 from external host, it''s
request time
> out, but I can ping 210.0.214.119, I accepted in policy and rules file
> before try to ping.
>  
> Policy:
> net             dmz              DROP            info
> net             $FW             ACCEPT         info
> net             loc                DROP            info
> net             all                 DROP            info
> 
> Rules:
> Ping/ACCEPT     net             $FW
> 
Wilson, 

I give you complete instructions for diagnosing the problem; did you
follow them? If so, what was the result. I can''t help you if you ignore
what I tell you and go off doing something else. 

Because you are forwarding 210.0.214.127 to your dmz, you would need
this rule:

Ping/ACCEPT	net	dmz

BUT YOU DON''T NEED ANY RULES TO FOLLOW THE INSTRUCTIONS THAT I GAVE
YOU.

We are trying to determine if the packets are even reaching your
firewall and if so, do they have the correct L2 address. All the rules
in the world won''t fix the problem if the packets aren''t even
reaching
your firewall. You are wasting both your time and mine. 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Tom, don''t angry first.
 
I checked is the MAC address problem and called ISP to reset the gateway router.
I will post update status for you.
 
Thanks !!!

--- 2010年2月9日 星期二，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月9日,星期二,上午9:00


On Tue, 2010-02-09 at 08:24 +0800, Wilson Kwok wrote:
> Hello Tom
>  
> I''m trying to ping 210.0.214.127 from external host, it''s
request time
> out, but I can ping 210.0.214.119, I accepted in policy and rules file
> before try to ping.
>  
> Policy:
> net             dmz              DROP            info
> net             $FW             ACCEPT         info
> net             loc                DROP            info
> net             all                 DROP            info
> 
> Rules:
> Ping/ACCEPT     net             $FW
> 
Wilson, 

I give you complete instructions for diagnosing the problem; did you
follow them? If so, what was the result. I can''t help you if you ignore
what I tell you and go off doing something else. 

Because you are forwarding 210.0.214.127 to your dmz, you would need
this rule:

Ping/ACCEPT    net    dmz

BUT YOU DON''T NEED ANY RULES TO FOLLOW THE INSTRUCTIONS THAT I GAVE
YOU.

We are trying to determine if the packets are even reaching your
firewall and if so, do they have the correct L2 address. All the rules
in the world won''t fix the problem if the packets aren''t even
reaching
your firewall. You are wasting both your time and mine. 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

And I forget to tell you, we''re testing another firewall in this few
weeks, so I checked the ISP router cached the testing firewall MAC on external
interface.
 
Thanks !!

--- 2010年2月9日 星期二，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月9日,星期二,上午9:00


On Tue, 2010-02-09 at 08:24 +0800, Wilson Kwok wrote:
> Hello Tom
>  
> I''m trying to ping 210.0.214.127 from external host, it''s
request time
> out, but I can ping 210.0.214.119, I accepted in policy and rules file
> before try to ping.
>  
> Policy:
> net             dmz              DROP            info
> net             $FW             ACCEPT         info
> net             loc                DROP            info
> net             all                 DROP            info
> 
> Rules:
> Ping/ACCEPT     net             $FW
> 
Wilson, 

I give you complete instructions for diagnosing the problem; did you
follow them? If so, what was the result. I can''t help you if you ignore
what I tell you and go off doing something else. 

Because you are forwarding 210.0.214.127 to your dmz, you would need
this rule:

Ping/ACCEPT    net    dmz

BUT YOU DON''T NEED ANY RULES TO FOLLOW THE INSTRUCTIONS THAT I GAVE
YOU.

We are trying to determine if the packets are even reaching your
firewall and if so, do they have the correct L2 address. All the rules
in the world won''t fix the problem if the packets aren''t even
reaching
your firewall. You are wasting both your time and mine. 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Here is what I checked:
 
This IP address 210.0.214.121 is no problem, you can see the MAC address
(firewall external interface: 00:0a:cd:0f:66:bb) and (ISP router MAC address:
00:05:3b:60:c0:57):
 
10:21:51.276188 00:05:3b:60:c0:57 > 00:0a:cd:0f:66:bb, ethertype IPv4
(0x0800), length 62: 221.127.14.48.32481 > 210.0.214.121.http: S
2808036249:2808036249(0) win 65535 <mss 1440,nop,nop,sackOK>
10:21:51.276353 00:0a:cd:0f:66:bb > 00:05:3b:60:c0:57, ethertype IPv4
(0x0800), length 62: 210.0.214.121.http > 221.127.14.48.32481: S
3041452640:3041452640(0) ack 2808036250 win 5840 <mss 1460,nop,nop,sackOK>

 
This IP address 210.0.214.127 is can''t connect to internet, the MAC
address 00:01:03:2a:67:25 is the testing firewall external MAC address:
 
10:20:01.802065 00:05:3b:60:c0:57 > 00:01:03:2a:67:25, ethertype IPv4
(0x0800), length 62: 221.127.14.48.32458 > 210.0.214.127.http: S
3300503728:3300503728(0) win 65535 <mss 1440,nop,nop,sackOK>



--- 2010年2月9日 星期二，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月9日,星期二,上午9:00


On Tue, 2010-02-09 at 08:24 +0800, Wilson Kwok wrote:
> Hello Tom
>  
> I''m trying to ping 210.0.214.127 from external host, it''s
request time
> out, but I can ping 210.0.214.119, I accepted in policy and rules file
> before try to ping.
>  
> Policy:
> net             dmz              DROP            info
> net             $FW             ACCEPT         info
> net             loc                DROP            info
> net             all                 DROP            info
> 
> Rules:
> Ping/ACCEPT     net             $FW
> 
Wilson, 

I give you complete instructions for diagnosing the problem; did you
follow them? If so, what was the result. I can''t help you if you ignore
what I tell you and go off doing something else. 

Because you are forwarding 210.0.214.127 to your dmz, you would need
this rule:

Ping/ACCEPT    net    dmz

BUT YOU DON''T NEED ANY RULES TO FOLLOW THE INSTRUCTIONS THAT I GAVE
YOU.

We are trying to determine if the packets are even reaching your
firewall and if so, do they have the correct L2 address. All the rules
in the world won''t fix the problem if the packets aren''t even
reaching
your firewall. You are wasting both your time and mine. 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

On Tue, 2010-02-09 at 10:23 +0800, Wilson Kwok wrote:
> Here is what I checked:
>  
> This IP address 210.0.214.121 is no problem, you can see the MAC
> address (firewall external interface: 00:0a:cd:0f:66:bb) and (ISP
> router MAC address: 00:05:3b:60:c0:57):
>  
> 10:21:51.276188 00:05:3b:60:c0:57 > 00:0a:cd:0f:66:bb, ethertype IPv4
> (0x0800), length 62: 221.127.14.48.32481 > 210.0.214.121.http: S
> 2808036249:2808036249(0) win 65535 <mss 1440,nop,nop,sackOK>
> 10:21:51.276353 00:0a:cd:0f:66:bb > 00:05:3b:60:c0:57, ethertype IPv4
> (0x0800), length 62: 210.0.214.121.http > 221.127.14.48.32481: S
> 3041452640:3041452640(0) ack 2808036250 win 5840 <mss
> 1460,nop,nop,sackOK>
> 
>  
> This IP address 210.0.214.127 is can''t connect to internet, the
MAC
> address 00:01:03:2a:67:25 is the testing firewall external MAC
> address:
>  
> 
Have you reconfigured 192.168.0.14 to use the internal IP address of the
test firewall as its default gateway?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

All DMZ firewall didn''t change IP address during replacing test
firewall, so the 192.168.0.14 has not been changed.
 
Thanks !

--- 2010年2月9日 星期二，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月9日,星期二,上午10:34


On Tue, 2010-02-09 at 10:23 +0800, Wilson Kwok wrote:
> Here is what I checked:
>  
> This IP address 210.0.214.121 is no problem, you can see the MAC
> address (firewall external interface: 00:0a:cd:0f:66:bb) and (ISP
> router MAC address: 00:05:3b:60:c0:57):
>  
> 10:21:51.276188 00:05:3b:60:c0:57 > 00:0a:cd:0f:66:bb, ethertype IPv4
> (0x0800), length 62: 221.127.14.48.32481 > 210.0.214.121.http: S
> 2808036249:2808036249(0) win 65535 <mss 1440,nop,nop,sackOK>
> 10:21:51.276353 00:0a:cd:0f:66:bb > 00:05:3b:60:c0:57, ethertype IPv4
> (0x0800), length 62: 210.0.214.121.http > 221.127.14.48.32481: S
> 3041452640:3041452640(0) ack 2808036250 win 5840 <mss
> 1460,nop,nop,sackOK>
> 
>  
> This IP address 210.0.214.127 is can''t connect to internet, the
MAC
> address 00:01:03:2a:67:25 is the testing firewall external MAC
> address:
>  
> 
Have you reconfigured 192.168.0.14 to use the internal IP address of the
test firewall as its default gateway?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

On Tue, 2010-02-09 at 10:44 +0800, Wilson Kwok wrote:
> All DMZ firewall didn''t change IP address during replacing test
> firewall, so the 192.168.0.14 has not been changed.
> 
Then I have no clue what you are doing. Please don''t ask me for any
additional help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

I think I have missed something from you, but previous post that included
external host to use http request to 210.0.214.127 and 210.0.214.127 already map
to DMZ server 192.168.0.14, this 192.168.0.14 didn''t changed IP address
for both shorewall and test firewall. Is the previous log was incorrect ?
 
I known I''m giving inconvenient to you, if you want me to change
something I must follow !
 
Thanks !

--- 2010年2月9日 星期二，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月9日,星期二,上午10:52


On Tue, 2010-02-09 at 10:44 +0800, Wilson Kwok wrote:
> All DMZ firewall didn''t change IP address during replacing test
> firewall, so the 192.168.0.14 has not been changed.
> 
Then I have no clue what you are doing. Please don''t ask me for any
additional help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Dear Tom
 
I sovled this problem, is the incorrectly MAC address issue.
 
I used one Windows XP computer directly connected to ISP cable and then enter
that public IP address, used ping to gmail.com and remote at home computer ping
back to this public IP address. I think the ISP router released ARP cache by
this method.
 
Thank you !!!!!

--- 2010年2月9日 星期二，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月9日,星期二,上午10:52


On Tue, 2010-02-09 at 10:44 +0800, Wilson Kwok wrote:
> All DMZ firewall didn''t change IP address during replacing test
> firewall, so the 192.168.0.14 has not been changed.
> 
Then I have no clue what you are doing. Please don''t ask me for any
additional help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


_______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

Wilson Kwok wrote:
> Dear Tom
>  
> I sovled this problem, is the incorrectly MAC address issue.
>  
> I used one Windows XP computer directly connected to ISP cable and then
> enter that public IP address, used ping to gmail.com and remote at home
> computer ping back to this public IP address. I think the ISP router
> released ARP cache by this method.
>  
> Thank you !!!!!
Glad to hear that you resolved the issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

Thank you :)

--- 2010年2月12日 星期五，Tom Eastep <teastep@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teastep@shorewall.net>
主題: Re: [Shorewall-users] Two DMZ servers can''t be access from internet
and can''t ping internet IP address.
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月12日,星期五,下午11:03


Wilson Kwok wrote:
> Dear Tom
>  
> I sovled this problem, is the incorrectly MAC address issue.
>  
> I used one Windows XP computer directly connected to ISP cable and then
> enter that public IP address, used ping to gmail.com and remote at home
> computer ping back to this public IP address. I think the ISP router
> released ARP cache by this method.
>  
> Thank you !!!!!
Glad to hear that you resolved the issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-----內含下列附件-----


------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
-----內含下列附件-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



      

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev