-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am having some weird issues that I can''t quite figure out. My first issue is if I am logged into the box running shorewall I can not SSH to a machine sitting on the local LAN segment, shorewall rejects the packet with this log: Aug 5 11:40:57 fw2loc:REJECT:IN= OUT=eth2 SRC=192.168.1.1 DST=192.168.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42913 DF PROTO=TCP SPT=59475 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 I can access this box elsewhere on the LAN successfully. My second issue is that I have the following rule setup in /etc/shorewall/rules to redirect packets coming on 450 to an internal server listening on 443: DNAT net loc:192.168.1.4:443 tcp 450 Shorewall logs this response: Aug 5 11:38:31 net2fw:DROP:IN=eth0 OUT= SRC=75.216.232.209 DST=76.5.159.171 LEN=64 TOS=0x00 PREC=0x00 TTL=41 ID=35055 DF PROTO=TCP SPT=57483 DPT=450 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 Thanks, Stephen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxa3R4ACgkQ3sJXNEncx7g46gCcClq/YMo5/Khpdug1tOnVQXlM jKUAn3IbyD0l+SFHGTa5JjbMG8LpQOeC =QbrV -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On 8/5/10 8:47 AM, Stephen Brown wrote:> I am having some weird issues that I can''t quite figure out. > > My first issue is if I am logged into the box running shorewall I can > not SSH to a machine sitting on the local LAN segment, shorewall rejects > the packet with this log: > > Aug 5 11:40:57 fw2loc:REJECT:IN= OUT=eth2 SRC=192.168.1.1 > DST=192.168.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42913 DF PROTO=TCP > SPT=59475 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > I can access this box elsewhere on the LAN successfully.Looks like you don''t have an ACCEPT rule for SSH fw->loc.> > My second issue is that I have the following rule setup in > /etc/shorewall/rules to redirect packets coming on 450 to an internal > server listening on 443: > > DNAT net loc:192.168.1.4:443 tcp 450 > > Shorewall logs this response: > > Aug 5 11:38:31 net2fw:DROP:IN=eth0 OUT= SRC=75.216.232.209 > DST=76.5.159.171 LEN=64 TOS=0x00 PREC=0x00 TTL=41 ID=35055 DF PROTO=TCP > SPT=57483 DPT=450 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1First, follow all of the DNAT troubleshooting tips in FAQs 1a and 1b. If that fails to resolve the issue, then install the conntrack package and ''shorewall restart -p'' (or reboot the firewall). -Tom ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *sigh* well I just had a "duh" moment... I added the rule for SSH and it''s working now :) As for the port redirect, that is working as well after I did a shorewall restart Thanks! Stephen On 8/5/10 11:58 AM, Tom Eastep wrote:> On 8/5/10 8:47 AM, Stephen Brown wrote: >> I am having some weird issues that I can''t quite figure out. >> >> My first issue is if I am logged into the box running shorewall I can >> not SSH to a machine sitting on the local LAN segment, shorewall rejects >> the packet with this log: >> >> Aug 5 11:40:57 fw2loc:REJECT:IN= OUT=eth2 SRC=192.168.1.1 >> DST=192.168.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42913 DF PROTO=TCP >> SPT=59475 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 >> >> I can access this box elsewhere on the LAN successfully. > > Looks like you don''t have an ACCEPT rule for SSH fw->loc. > >> >> My second issue is that I have the following rule setup in >> /etc/shorewall/rules to redirect packets coming on 450 to an internal >> server listening on 443: >> >> DNAT net loc:192.168.1.4:443 tcp 450 >> >> Shorewall logs this response: >> >> Aug 5 11:38:31 net2fw:DROP:IN=eth0 OUT= SRC=75.216.232.209 >> DST=76.5.159.171 LEN=64 TOS=0x00 PREC=0x00 TTL=41 ID=35055 DF PROTO=TCP >> SPT=57483 DPT=450 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x1 > > First, follow all of the DNAT troubleshooting tips in FAQs 1a and 1b. > > If that fails to resolve the issue, then install the conntrack package > and ''shorewall restart -p'' (or reboot the firewall). > > -Tom > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxa88MACgkQ3sJXNEncx7jODgCfaFoRehAdCjxPcC7stBNLUnwp r6EAnjet2DjCwtZYXk1S/YsV459ElvEW =n9l7 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm