First, thanks for your answer. Le Thu, 26 Oct 2023 09:10:33 +0100, Norman and Audrey Henderson a écrit :
> Hi, the one message you included is a normal response message from your > web server to the client. The client (some random user on the Internet) > has made a request with destination port 443 and a random source port, > 37615. > Apache replied with source port 443 and destination port 37615, that is > completely normal. Ok. > With such limited information we can't see why there is a REJECT, plus > you say the web server is working fine, so there is something else going > on. I understand. > Some comments: > (1) It's recommended to use HTTP(ACCEPT) and HTTPS(ACCEPT) rather than > Web(ACCEPT) which just combines the two. I don't understand why Web exist so, if not recommanded to use it. I replaced Web by HTTP and HTTPS lines, and of course, nothing changed. > (2) You only need rules for the incoming traffic. I think they should be > HTTPS(ACCEPT) net $FW and HTTP(ACCEPT) net $FW ($FW refers to the > firewall zone). I have zones: fw firewall net ipv4 sshok:net ipv4 dynamic_shared In rules, should I use fw or $FW or nevermind ? It seems that changing fw to $FW didn't change anything. > (3) Return traffic from the web server to the client is automatically > permitted because of "connection tracking" - it's an established TCP > connection. You may have some other rule that is blocking that (but > then, > the web server would not be working from the client's viewpoint). interfaces: ?FORMAT 2 net eth0 hosts: sshok eth0:dynamic policy: sshok all CONTINUE all sshok CONTINUE net all DROP info all all REJECT info > (4) To see what's actually happening you can do an iptrace: > > First make sure that logging is enabled in iptables (might be different > depending on your distro): > sudo modprobe nf_log_ipv4 > sudo sysctl net.netfilter.nf_log.2=nf_log_ipv4 Not actually in my kernel # grep -i log_ipv4 /usr/src/linux/.config # CONFIG_NF_LOG_IPV4 is not set I'll have to recompile it with and reboot. I'll do it a bit later. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users