I've collected more info on this issue and got the way to avoid the issue. I've added a network diagram to help understand my setting.
What I usually do on the client in order to connect to the target web server is that I start typing on the browser the server's address: 192... then the browser anticipates me by proposing what it thinks is my wanted target's value, which I choose. Since the first time I typed in without the "https://"; prefix, obviously the browser propose the string that starts with "http://"; and only after conversing with the web server it automatically changes it to "https://";. For some reasons that are not yet clear to me the issue I described in my previous mail appears only in this situation and it stays so (long response time and log of dropped packets) till the end of the session. The issue doesn't show up when I start the session with the proper URL since the beginning. Well, there still is one packet dropped (the first one?) but then it carry on as smooth and fast as expected. Can anybody explain the rational for this behavior? Thanks for your help, Costa ------------------------------------------ Network Diagram --------------- Internet | | +---+----+ +--------+ | router | | client | >>> URL: https://192.168.2.152 <<< +---+----+ +---+----+ 192.168.2.254 | | 192.168.2.88 | | ----+-----+------+----- switch | eth0 | 192.168.2.152 +-------+-------+ | ............. | | . ShoreWall . | >>> DNAT net fw:192.168.51.254 tcp 80,8080,443 <<< | ............. | | | | .......... | GATEWAY=192.168.2.254 | . web . | | . server . | | .......... | | | +-------+-------+ eth1 | 192.168.51.254 | ----+-----+----+------- switch | | -----Original Message----- From: Tom Eastep [mailto:[email protected]] Sent: 11 August 2014 22:06 To: [email protected] Subject: Re: [Shorewall-users] Shorewall 4.5.6.2 and DNAT issue On 8/11/2014 8:48 AM, Costantino wrote: > Hi Tom and all, > > > > I'm confronting an issue with Shorewall 4.5.6.2 and DNAT. > > > > I've got a server with two ethernet interfaces: eth0 connected to WAN > and eth1 to LAN. > > > > Although I've got a DNAT rule allowing for requests coming through the > WAN interface to be forwarded to their respective port 80, 8080 and > 443 of the LAN interface, the log shows that those requests have been dropped. > > At the same time the user on the client PC, while experiencing a very > long delay, sees that his request in the end has been served. > > > > I fail to see where my Shorewall configuration could be wrong and I > would appreciate your advice to help me diagnose my issue. Have you looked at the DNAT troubleshooting procedure described in FAQs 1a through 1c? > > I'm attaching a zip file with the output of the SHOW command and the log. The output of 'shorewall dump' collected as described at http://www.shorewall.net/support.htm#Guidelines is much more useful. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
