Art Mason <[EMAIL PROTECTED]> writes: > I've had hell trying to get port forwarding to work properly on my SNF > 8.2-BETA box. Everything else (squid, dansguardian) simply rocks, > though. Here's the dilemma: > > eth0: 192.168.1.254/24 > eth1: ext.ip.addr.inet > > NAT works great, transparent squid proxying works great, but I'm trying > to forward SMTP from a Postfix gateway on the DMZ and forward HTTPS from > the Internet to allow outside users to securely check their e-mail from > home w/o sending plaintext passwords all over the place. The setup has > been working well w/ snf-7.2/ipchains, but I'd like to standardize on > snf-8.2 if possible. Here's what syslog reports to me when I try HTTPS > from the outside: > > proxy kernel: Shorewall:wan2all:DROP:IN=eth1 OUT= MAC= SRC=external > test IP address DST=ext.ip.addr.inet LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=46581 DF PROTO=TCP SPT=33159 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 > > Relevant rules from /etc/shorewall/rules: > > ACCEPT lan wan tcp smtp - > ACCEPT wan lan tcp smtp - > ACCEPT lan wan tcp https - > ACCEPT wan lan tcp https - > ACCEPT wan lan:192.168.1.3 tcp smtp - all > ACCEPT wan lan:192.168.1.3 tcp https - all > > And /etc/shorewall/interfaces: > > lan eth0 detect routestopped > wan eth1 detect noping
hello there, I have noticed that you have two rules on https I do the same thing here and this what I get on the firewall: [root@firewall root]# grep https /etc/shorewall/rules ACCEPT dmz wan tcp https - ACCEPT lan wan tcp https - ACCEPT wan dmz:192.168.1.3 tcp https - all > Finally, /etc/shorewall/policy: > > lan wan ACCEPT > fw wan ACCEPT > wan all DROP info > all all REJECT info I have everything on DROP ... in my case, a https connexion on the external IP of the firewall will redirect me on the dmz https server. Is your server inside the lan zone ? cheers, -- Florin http://www.mandrakesoft.com
