Sorry about the double post.. my browser crashed and I didn't think it sent
the message, so I opened up another browser and retyped the same woops
message
On Thu, Oct 10, 2013 at 11:24 AM, johnny bowen <jbow...@gmail.com> wrote:
> Basically the bad redirect line REDIRECT loc 80 tcp 8080
> adds a rule that listens for connections on 8080, then redirects to 80 on
> the fw.
>
> So to answer your test cases:
> 1)
>
> * http://<outside snat ip address>:80 and http://<inside lan ip
> address>:80 both failed with Shorewall:loc2fw:REJECT log messages.
>
> This failed because there is no rule for dst port 80, so it hit your
> policy REJECT
>
> 2)
> * http://<outside snat ip address>:8080 and http://<inside lan ip
> address>:8080 fail to reply, but nothing is logged.
>
> This failed because though a rule was found for 8080, it redirected it to
> port 80 on the firewall, but your httpd server is listening on 8080, not
> 80, so there is no reply.
>
>
> On Thu, Oct 10, 2013 at 11:17 AM, johnny bowen <jbow...@gmail.com> wrote:
>
>> Actually I typed my REDIRECT line wrong, for you it should have been this:
>>
>> REDIRECT loc:$ipOfBadMachine 8080 tcp 80
>>
>> notice the 8080 and 80 are switched..
>>
>>
>> On Thu, Oct 10, 2013 at 10:52 AM, Brian Burch <br...@pingtoo.com> wrote:
>>
>>> On 10/10/13 17:55, johnny bowen wrote:
>>> > REDIRECT net 22 tcp 902
>>>
>>> Thanks for thinking about it Johnny, but I said in my first post that I
>>> couldn't make REDIRECT work in my situation.
>>>
>>> Still, I don't want to seem ungrateful, so I reconfigured as follows:
>>>
>>> REDIRECT loc 80 tcp 8080
>>>
>>> I then tried to access the fake web server on the firewall in 4
>>> different ways:
>>>
>>> * http://<outside snat ip address>:80 and http://<inside lan ip
>>> address>:80 both failed with Shorewall:loc2fw:REJECT log messages.
>>>
>>> * http://<outside snat ip address>:8080 and http://<inside lan ip
>>> address>:8080 fail to reply, but nothing is logged.
>>>
>>> My fake server is listening on 0.0.0.0:8080, and "wget
>>> http://127.0.0.1:8080"; from the firewall itself works fine.
>>>
>>> The good news is that my genuine clients can still successfully access
>>> web servers on the internet (via the snat ip address on the firewall).
>>>
>>>
>>> I'm still confused!
>>>
>>> Brian
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> October Webinars: Code for Performance
>>> Free Intel webinars can help you accelerate application performance.
>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>>> from
>>> the latest Intel processors and coprocessors. See abstracts and register
>>> >
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> Shorewall-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>
>>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
