Re: [Shorewall-users] outgoing connection problem: Xen Routed configuration

Tom Eastep Thu, 20 Feb 2020 15:03:23 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2/20/20 2:22 PM, Bruce Bannerman wrote:
> I did a few tests yesterday with DNAT, SNAT and the current rules.
>
> I stopped and started the shorewall service using 'systemctl
> restart shorewall’ prior to running the tests to create the dump
> file.
>
> I then did a shorewall reload.
>
> I just replaced the ACCEPT with DNAT during the previous tests.
>
>
> The relevant params and rules that I have in place are:
>
> ===== /etc/shorewall/params # E_FW=203.214.66.98
> E_DNS=203.214.66.100 E_SMTP=203.214.66.100 E_WWW=203.214.66.103
> E_SMTPS_B=203.214.66.104 E_SMTPS_G=203.214.66.105
> E_SMTPS_F=203.214.66.106 #
>
>
> /etc/shorewall/rules # # ===== net - Internet ===== # <snip> #
> #ACTION                 SOURCE          DEST
> PROTO DPORT                           SPORT   ORIGDEST #
> ACCEPT:$LOG             net             dmz:$E_DNS
> udp domain ACCEPT:$LOG             net             dmz:$E_DNS
> tcp domain # ACCEPT:$LOG             net             dmz:$E_WWW
> tcp http,https ACCEPT:$LOG             net             dmz:$E_SMTP
> tcp
    smtp
> # ACCEPT:$LOG             net             dmz:$E_SMTPS_B
> tcp imaps,submissions,submission ACCEPT:$LOG             net
> dmz:$E_SMTPS_G          tcp imaps,submissions,submission
> ACCEPT:$LOG             net             dmz:$E_SMTPS_F
> tcp imaps,submissions,submission # <snip> # ===== DMZ ===== #
> #ACTION                 SOURCE          DEST
> PROTO DPORT                           SPORT   ORIGDEST #
> ACCEPT:$LOG             dmz              net
> udp domain                          -       - ACCEPT:$LOG
> dmz              net                    tcp domain
> -       - # ACCEPT:$LOG             dmz              net
> tcp http,https                      -       - # ACCEPT:$LOG
> dmz              net                    tcp smtp
> -       - # ACCEPT:$LOG             dmz              net
> tcp imaps,submissions,submission    -       - # <snip> =====
>



Okay -- well, it looks to me as though the reverse proxy is not
initiating the second connection to the web server or that it is
attempting to initiate the connection and is getting an error. Does
its log give you any clue?

- -Tom
- -- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5PD9QACgkQluaz8kI6
TRDYqxAAmundK8kU+NUVnIlOi61o+7VhswXvdr1spIoSBkGF0knxd5NfGx1xENcP
W1b0dvoBDsO3hKYBDbKcpGcVwMPC6QcHI0hSqG0NXi3QLIf/1hU+cuETmTqqyXLj
Y2samDrp0AdGCEJvt+42kUl/ahNHIAvTpeinoFH/Bpnez8BEHsOZ0H1x/gGM+P/E
X2P7PXrfL+fjUMoVJWfoUz95ZSNW3erK2kbl3Ipv5uyAdwsjUKrQJq6Q/VC+VDZx
60QSrpXndq/6YfrVVWj+AJhUjGf1YffRTjdAsFrX3uoHlpHyRm+Ixw87fG+b5Qqc
HoXgpP1OT9I79q+JGwEkz7zhkeg5zwYwv/wQgnIj0u/iGZyIXYcxjUKFFFZjujS6
tnojP2c+vL5l3zYCzWT/pBUHSv1gjertxz6LfIqd0/HwkAgvjRYyq61TaHqz/Gti
D6UqpL4RvgKvKz59VbIxf/3NP0vjoA0zBYDX9fQwHMsNMQrB2k/R/PcK41ZOIEf6
CpYuLrGhCLOJxTbSFqafyMYf+uM06x7DcXuHV3DlXoHa2gi0UkCaXMVknBSsotl7
56I7GU1yr7VyO96Pq8tBsQDmJZG15+ijm2ijU//Y/Fs6ruofC2nX2Xfff7/IcvHb
sW0GFSLm5qC75gbKIV62Hoa0eVkaPJSfWK8ztPLknwHdtFLBwtQ=
=Lt9f
-----END PGP SIGNATURE-----


_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] outgoing connection problem: Xen Routed configuration

Reply via email to