Tom Eastep wrote: > Are you sure that your ISP isn't blocking SYN,ACK replies from port 80?
Pretty sure. We have a one of the higher level business packages with 5 statics which is 2 above their entry level business package. Plus, I'm looking at the logs on my firewall and I see nothing coming back from my local machine. My ISP has no knowledge of those packets. Plus, plus, double-plus, I only provided port 80 as an example. The same situation (standard fails but non-standard works) applies to SMTP, POP, HTTP, HTTPS, and SSH (admittedly SSH is DNAT'd from external 2222 to internal 10.0.50.50:22 but the rest are straight through). >> I'm not sure what to attach for documentation. >> > http://www.shorewall.net/support.htm#Guidelines. Well, OK. I had hoped that would be overkill for this situation, but here it is (lower). > But -- these issues are virtually never problems that you can diagnose > by looking just at the firewall itself. The DNAT troubleshooting tips in > FAQs 1a and 1b are still your best friends (as is a packet sniffer like > tcpdump or wireshark). Based on your tips earlier about my other problem I have been over and over 1a and 1b. Unless I misread, they consist of two concepts: ensure the gateway on your local machine points to your firewall and ensure that a reverse DNS lookup resolves. Both are true in my case (after fixing the gateway issue earlier today on your pointer). I could supply logs to this extent, but I think the fact that standard ports for smpt, pop, http, and https work correctly via DNAT should be enough although I will provide logs if required. I must admit that I had hoped such a succinct problem as "standard ports don't work but non-standard ports do" would ring a bell amongst the list members. I hope that I'm not a "one of". Being a one-of is an interesting thing for those who come after, but a truly crappy thing to be in the first place. Requested info: ---- [EMAIL PROTECTED]:~# shorewall version 3.0.4 ---- [EMAIL PROTECTED]:~# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:95:c5:0b:83 brd ff:ff:ff:ff:ff:ff inet 137.186.135.69/22 brd 137.186.135.255 scope global eth0 inet6 fe80::211:95ff:fec5:b83/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:13:d4:b1:6c:ff brd ff:ff:ff:ff:ff:ff inet 10.0.50.10/24 brd 10.0.50.255 scope global eth1 inet6 fe80::213:d4ff:feb1:6cff/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 ---- [EMAIL PROTECTED]:~# ip route show 10.0.50.0/24 dev eth1 proto kernel scope link src 10.0.50.10 137.186.132.0/22 dev eth0 proto kernel scope link src 137.186.135.69 default via 137.186.132.1 dev eth0 ---- Oh...hell...that should have been a lot more painful. Is there something else I should provide that I didn't? Thanks for your help! Jon ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
