Hi, I've this problem:
two debian 4.0 firewalls with shorewall version 3.2.6
i've this tcrules on both firewalls:
FW1
2:P 192.168.11.0/24 172.16.33.13 tcp 1433
2:P 192.168.0.0/24 172.16.33.13 tcp 1433
FW2
2:P 172.16.33.13/32 192.168.11.0/24 tcp - 1433
2:P 172.16.33.13/32 192.168.0.0/24 tcp - 1433
2:P 192.168.1.10/32 - tcp - 80
The setup works ok, but as soon as one of the end restart their firewall,
those two subnet cannot reach the sql server. The tcrules works with a ip
rule that force the marked packets to use faster ISP on a dual wan
configuration.
But if i do a shorewall restart on both the firewall, the connection begin
to work again!
If i do a shorewall show connections before restarting both the firewall, i
get:
ON FW1:
tcp 6 57 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2165
dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433
dport=2165 packets=2 bytes=96 mark=0 use=1
tcp 6 59 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2164
dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433
dport=2164 packets=3 bytes=144 mark=0 use=1
ON FW2:
tcp 6 49 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2162
dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433
dport=2162 packets=3 bytes=144 mark=0 use=1
tcp 6 46 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2161
dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433
dport=2161 packets=3 bytes=144 mark=0 use=1
If i do a shorewall restart on both the fw, i get:
tcp 6 431997 ESTABLISHED src=192.168.11.25 dst=172.16.33.13 sport=2172
dport=1433 packets=86 bytes=9034 src=172.16.33.13
dst=192.168.11.25sport=1433 dport=2172 packets=107 bytes=87702
[ASSURED] mark=0 use=1
And all begin to start working.
Any ideas? I'll supply a shorewall dump if necessary.
Thx.
--
Giacomo Lancella
-----------------------------------------
System & Network Engineer
MCSE/MCSA - CCNA
[EMAIL PROTECTED]
http://giacomo.lancella.com
----------------------------------------
AVVISO DI RISERVATEZZA
La seguente email è confidenziale e la sua riservatezza è tutelata
legalmente dalla legge 196/2003. Il testo e gli eventuali documenti
trasmessi con questa email contengono informazioni riservate al solo
destinatario indicato. La lettura, copia od altro uso non autorizzato o
qualsiasi altra azione derivante dalla conoscenza di queste informazioni
sono rigorosamente vietate.
CONFIDENTIAL NOTE
The information in this email is confidential and may be legally
privileged.It is intended solely for the addressee. Access to this email
by anyone else is unauthorized. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted
to be taken in reliance on it, is prohibited and may be unlawful.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
