Hi! Been away from the list for a short while. I have just got Shorewall 4.5.15 up and running at a customer with two ISP''s. One is a leased line and the other is an ADSL line. It almost works as planned but not quite! First of all the ADSL line proved to be very flaky! Up and down many times in a day! Not to much of an issue really as I just did ip link set eno3 down and that solved that problem for a bit! All inbound traffic to smtp, ssh, rdp, http etc work as they should. The rdp is DNAT''d to the customers Baan server. All outbound traffic from the FW zone works as expected. Problem comes from internal users! All of them! I use normal MASQ type SNAT to masquerade all users out! Most of them it''s normal web browsing and a few make the standard Windows vpn connection to their only customer. All users also access their That is were it starts to come unglued. All users get times when they cannot access pop3 or imap on the FW server, At times they cannot access any internet. Also at times only one user can make a vpn connection. Just had the Windows support guy on the phone. He was Team Viewer''d into the CFO notebook and that worked fine. He could not ping any ip address on the internet but from a Windows server he could. I restarted shorewall and after a short time he could ping an external ip address and mail - imap - worked again! I''ve looked through my shorewall config and nothing really jumps out at me! I have attached at shorewall dump in gzip format! I''ve looked at it and again nothing looks wrong to my poor old untrained eyes! TIA! Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
On 8/22/2013 9:32 AM, Angela Williams wrote:> Hi! > Been away from the list for a short while. > > I have just got Shorewall 4.5.15 up and running at a customer with two > ISP''s. One is a leased line and the other is an ADSL line. > > It almost works as planned but not quite! First of all the ADSL line > proved to be very flaky! Up and down many times in a day! Not to much of > an issue really as I just did > ip link set eno3 down > and that solved that problem for a bit! > > All inbound traffic to smtp, ssh, rdp, http etc work as they should. The > rdp is DNAT''d to the customers Baan server. All outbound traffic from > the FW zone works as expected. > > Problem comes from internal users! All of them! I use normal MASQ type > SNAT to masquerade all users out! Most of them it''s normal web browsing > and a few make the standard Windows vpn connection to their only > customer. All users also access their That is were it starts to come > unglued. All users get times when they cannot access pop3 or imap on the > FW server, At times they cannot access any internet. Also at times only > one user can make a vpn connection. Just had the Windows support guy on > the phone. He was Team Viewer''d into the CFO notebook and that worked > fine. He could not ping any ip address on the internet but from a > Windows server he could. I restarted shorewall and after a short time he > could ping an external ip address and mail - imap - worked again! > > I''ve looked through my shorewall config and nothing really jumps out at me! > I have attached at shorewall dump in gzip format! I''ve looked at it and > again nothing looks wrong to my poor old untrained eyes! >With ino3 down, you must disable that interface in Shorewall. It it is currently enabled, so any traffic that attempts to go out of that interface will fail. Be sure that eno3 has the ''optional'' option in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
Hi Tom! On 23/08/2013 22:03, Tom Eastep wrote:> On 8/22/2013 9:32 AM, Angela Williams wrote: >> Hi! >> Been away from the list for a short while. >> >> I have just got Shorewall 4.5.15 up and running at a customer with two >> ISP''s. One is a leased line and the other is an ADSL line. >> >> It almost works as planned but not quite! First of all the ADSL line >> proved to be very flaky! Up and down many times in a day! Not to much of >> an issue really as I just did >> ip link set eno3 down >> and that solved that problem for a bit! >> >> All inbound traffic to smtp, ssh, rdp, http etc work as they should. The >> rdp is DNAT''d to the customers Baan server. All outbound traffic from >> the FW zone works as expected. >> >> Problem comes from internal users! All of them! I use normal MASQ type >> SNAT to masquerade all users out! Most of them it''s normal web browsing >> and a few make the standard Windows vpn connection to their only >> customer. All users also access their That is were it starts to come >> unglued. All users get times when they cannot access pop3 or imap on the >> FW server, At times they cannot access any internet. Also at times only >> one user can make a vpn connection. Just had the Windows support guy on >> the phone. He was Team Viewer''d into the CFO notebook and that worked >> fine. He could not ping any ip address on the internet but from a >> Windows server he could. I restarted shorewall and after a short time he >> could ping an external ip address and mail - imap - worked again! >> >> I''ve looked through my shorewall config and nothing really jumps out at me! >> I have attached at shorewall dump in gzip format! I''ve looked at it and >> again nothing looks wrong to my poor old untrained eyes! >> > > With ino3 down, you must disable that interface in Shorewall. It it is > currently enabled, so any traffic that attempts to go out of that > interface will fail.I sorted of thought about that and figured out how lsm "script" did it!> Be sure that eno3 has the ''optional'' option in /etc/shorewall/interfaces.That''s true! I was just under to much stress! I did solve the M$ VPN problem by enabling the pptp contrack module in the kernel! It in turn enables the gre stuff! I''ll only give it another test once the customer has sorted out a new contract with their customer and their USA headoffice is off their back! Lots of other red herrings at the site as well! Like the dreaded Symantec anti virus wonderful firewall breaking things! Thanks again for your help! Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk