Hello, I am running a debian testing box including shorewall 4.5.3. In the interest of service separation, the machine serves as the host to multiple LXC- guests. I have setup apt-cacher-ng on the host (listening on 3124) and added> ACCEPT dmz $FW tcp 3124to my rules file. I remain, however unable to connect to that port from the guests in the dmz and the syslog keeps showing> Jun 3 09:57:43 h2030617 kernel: [2464058.563255] > Shorewall:dmz2fw:REJECT:IN=br0.tun0 OUT= PHYSIN=vethYn3soH > MAC=46:c9:96:d9:1c:49:00:ff:00:00:00:02:08:00 SRC=10.10.10.100 > DST=10.10.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43559 DF PROTO=TCP > SPT=36124 DPT=3142 WINDOW=14600 RES=0x00 SYN URGP=0I attach the status.txt as requested on shorewall.net. Please point out follies. Sincerely, Joh ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 03/06/12 19:15, Johannes Graumann wrote:> ... > I have setup apt-cacher-ng on the host (listening on 3124) and added >> ACCEPT dmz $FW tcp 3124^^^^> ... >> Jun 3 09:57:43 h2030617 kernel: [2464058.563255] >> Shorewall:dmz2fw:REJECT:IN=br0.tun0 OUT= PHYSIN=vethYn3soH >> MAC=46:c9:96:d9:1c:49:00:ff:00:00:00:02:08:00 SRC=10.10.10.100 >> DST=10.10.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43559 DF PROTO=TCP >> SPT=36124 DPT=3142 WINDOW=14600 RES=0x00 SYN URGP=0^^^^^^^^ Note the difference in ports: 3142 vs. 3124. You need to make your configuration match what''s actually happening. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Paul Gear wrote:> On 03/06/12 19:15, Johannes Graumann wrote: >> ... >> I have setup apt-cacher-ng on the host (listening on 3124) and added >>> ACCEPT dmz $FW tcp 3124 > ^^^^ > >> ... >>> Jun 3 09:57:43 h2030617 kernel: [2464058.563255] >>> Shorewall:dmz2fw:REJECT:IN=br0.tun0 OUT= PHYSIN=vethYn3soH >>> MAC=46:c9:96:d9:1c:49:00:ff:00:00:00:02:08:00 SRC=10.10.10.100 >>> DST=10.10.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43559 DF PROTO=TCP >>> SPT=36124 DPT=3142 WINDOW=14600 RES=0x00 SYN URGP=0 > ^^^^^^^^ > > Note the difference in ports: 3142 vs. 3124. You need to make yourThank you so much - my dyslexia strikes again. Sorry for the noise. Joh ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/