J. R. Barreras | 30 Aug 17:29 2006

Re: how model this?


Of course, but a page with many topologies would be helpful...
I'm doing my own. When I have it completed, I'll send to you.
C u!
Barreras

Tom Eastep wrote:
> J. R. Barreras wrote:
>> Hi!
>> No problem!! The language always is problematic... :)
>> Tom was right. I did not know what doc read!! :)
>> Maybe could be useful have a resume of all network topology with
>> references to the docs section. What do you think about?
> 
> 
> I think it would be very useful if users would spend a few minutes with
> www.shorewall.net/Documentation_Index.html to familiarize themselves
> with what is there.
> 
> -Tom
> 
> 

Ismael Milach da Silveira | 30 Aug 21:25 2006
Picon

SNAT not working

Guys, I'm trying to make a rule so the local network would be able to reach a local workstation's port by using the external IP, is that possible?
 
Here's my "masq" file:
#####################
eth1:192.168.123.24       eth1            192.168.123.254    tcp     8080
eth0    eth1
######################
 
Where eth0 is my external interface, eth1 is the local one, 123.24 is the local machine I want to reach and 123.254 is eth1's IP.
 
It works fine using DNS "views", but I just wonder if It'd work using SNAT.
 
 
Debian 3.1, shorewall 3.0.5, kernel 2.6.12
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep | 30 Aug 21:27 2006
Picon

Default Action for QUEUE or ACCEPT Policy?

Shorewall permits definition of a Default Action (Formerly known as
"Common Action") for DROP, REJECT, ACCEPT and QUEUE policies through the
use of special entries in /etc/shorewall/actions. The mechanism for
defining these actions will be changing in 3.3 and I'm interested to
know if anyone has found a use for this feature with the ACCEPT and
QUEUE policies. I'm considering restricting this feature to DROP and
REJECT but I don't want to cause difficulties for existing users.

Thanks,
-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep | 30 Aug 21:30 2006
Picon

Re: SNAT not working

On Wed, 2006-08-30 at 16:25 -0300, Ismael Milach da Silveira wrote:
> Guys, I'm trying to make a rule so the local network would be able to
> reach a local workstation's port by using the external IP, is that
> possible?
>  
> Here's my "masq" file:
> #####################
> eth1:192.168.123.24       eth1            192.168.123.254    tcp
> 8080
> eth0    eth1
> 
> ######################
>  
> Where eth0 is my external interface, eth1 is the local one, 123.24 is
> the local machine I want to reach and 123.254 is eth1's IP.
>  
> It works fine using DNS "views", but I just wonder if It'd work using
> SNAT.

All of the steps necessary to do this are given in the answer to
Shorewall FAQ 2.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ismael Milach da Silveira | 30 Aug 22:52 2006
Picon

Re: SNAT not working

worked great, thanks!!!
----- Original Message ----- 
From: "Tom Eastep" <teastep <at> shorewall.net>
To: "Shorewall Users" <shorewall-users <at> lists.sourceforge.net>
Sent: Wednesday, August 30, 2006 4:30 PM
Subject: Re: [Shorewall-users] SNAT not working

> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job 
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

--------------------------------------------------------------------------------

> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bill Guelker | 31 Aug 21:40 2006
Picon

Strange problem with SNAT

Hi,

I have a problem which I do not believe is directly related to
Shorewall, but which Shorewall may be able to help me circumvent.  I
administer a small office network which makes abundant use of an
online application.  Recently, the servers which host that application
have converted to linux.  And it is after this conversion that I have
begun to experience problems.

My network has around 30 workstations behind a linux box running
CentOS4 and Shorewall 3.2.2.  Most of the workstations are running
Fedora Core 5, but there are also several WinXP boxes.  The firewall
is doing SNAT for the network, using a single external ip address (the
address of the firewall's external interface).

If there are open connections to the web server (ports 80 and 443) at
207.41.18.59 (ecf.moeb.uscourts.gov) through the firewall, some of the
linux clients can no longer connect to the site -- the firewall shows
these connections in a "SYN_SENT" state.  But some of the clients may
connect -- it is not possible to predict who can and who can't.  If
there are no connections currently, any client machine can connect to
the site.  But as soon as a connection is established, other linux
clients start getting stuck (court site is unresponsive, firewall
shows SYN_SENT, even while the court site is responding to other
connections).

Here's the strange part: the local WinXP clients can always connect
without any problems!

The problem only occurs with this site; client machines can
simultaneously connect to other sites without any issues.

It's as though the remote server, or some router in between, is
dropping SYN packets from my network's external ip which are not part
of an established connection -- unless those SYN packets came from a
Windows host!

I am guessing that there may be some TCP option enabled on my linux
client machines which is triggering the problem, but I'm not sure what
to try.

If I add ip addresses and aliases, so that Shorewall uses a pool of
external ip addresses for SNAT, the problem is alleviated, until the
ip addresses are exhausted and outgoing connections start doubling up.

I have replicated this problem on a separate network, using a Cisco
PIX firewall, and connecting to the same application on a different
server -- linux clients have trouble, Windows clients connect every
time.

I have tried setting CLAMPMSS=Yes with no change.

The office administering the application says there is no connection
limiting going on on their end.

Any ideas?  I am attaching a "shorewall dump" with some clients
connected, and others stuck at SYN_SENT (this is with three external
ip addresses for SNAT).  Thanks for any suggestions you can offer --
I've been scratchin' my head over this one for a while....

Bill
Attachment (dump.txt.gz): application/x-gzip, 9 KiB
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Gmane