Shorewall is, in general, working fine. Much better then ufw imho. I have one single problem with one single web site on a 2 interface fw.
If I plug into my cable modem directly, this site works fine. I cannot access: https://www5.v1host.com/ from behind shorewall. In fact, I can't get to it even from the fw itself. With the cable modem on eth0 of my fw, neither machines behind it on eth1, or the fw itself can get this one specific web site. I have not noticed problems with any other sites. Both dns & traceroute report the same end results whether plugged into cable modem direct, or behind the fw so I'm at a loss as to where to look next. policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT loc $FW ACCEPT # Let FW go wherever $FW net ACCEPT $FW loc ACCEPT $FW all REJECT info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST rules: DNS(ACCEPT) $FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) net $FW SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 10.1.1.0/8 zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 Both curl & wget also fail. Here's the curl output: 130 #> curl -v "https://www5.v1host.com"; * About to connect() to www5.v1host.com port 443 (#0) * Trying 209.34.82.239... connected * Connected to www5.v1host.com (209.34.82.239) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-MD5 * Server certificate: * subject: serialNumber=2duG-ipSr4CUsFthi6dD0sRSicGl103e; C=US; ST=Georgia; L=Alpharetta; O=VersionOne, Inc.; OU=Corporate; CN=*.v1host.com * start date: 2012-02-09 02:59:13 GMT * expire date: 2013-05-12 20:47:54 GMT * subjectAltName: www5.v1host.com matched * issuer: C=US; O=GeoTrust, Inc.; CN=GeoTrust SSL CA * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3 > Host: www5.v1host.com > Accept: */* > then nothing...
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
