On Sun, 12 Jan 2014, Tom Eastep wrote: >>>> Thanks for your hints, but returning in topic, I still don't understand >>>> why the DNS resolutions doesn't works. >>>> >>>> Why the rule: >>>> >>>> DNS(ACCEPT) dmz:192.168.110.0/24 all >>>> >>>> don't work as expected? >>>> What am I missing? >>> >>> Please send us the output of 'shorewall dump' collected as described at >>> http://www.shorewall.org/support.htm#Guidelines >> >> >> Filed it in http://apf.it/140111sh-dump.gz >> Changed real IPs. >> >> Thanks for interest. > > We actually need the dump to be taken when the rules that *don't* work > are installed. We don't learn anything from looking at these rules.
Rules ARE active. They are simply: DNS(ACCEPT) dmz:192.168.110.0/24 all #DNS(ACCEPT) dmz all #ACCEPT dmz:192.168.110.0/24 all udp 53,953 #LOG:6 dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp DROP dmz:192.168.110.0/24 net:!8.8.8.8,208.67.222.222 udp Commented line are some attempts (that don't change the result). > Also, please add logging to your DROP rule(s). If you specify me what syntax do you want, I do. In the meantime, this is another dump (after a restart of Shorewall) http://apf.it/140112sh-dump.gz Thanks, P. P.S.: my conf isn't clean, because this is a proxmox host with some VM in more differents DMZ segment that evolved in many years, but all is fine (for my need, probably can be do better), except for this UDP things that not works as expected for the involved VM (both OpenVZ and KVM). ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
