I don't know nearly everything about shorewall nor IPTables. I notice however that using a sub-zone definition sshok:net is a bit unusual, and it's also unusual to have CONTINUE in policy. Maybe there are good reasons but I have a relatively complex installation and I haven't used nor seen either of those things before. Again I don't know everything :)
Regarding your self-defined fw in the zones file versus the default $FW - no it doesn't matter, my error, $FW is only a shorthand for the zone defined as type "firewall". Regarding Web.macro : inside the macro there is a comment saying to use HTTP and HTTPS instead. I don't know why the developer made that comment. Hopefully you will be able to get a trace and maybe that will reveal the issue. If not I think you should post your entire configuration, with any public IP addresses etc. altered of course. On Thu, Oct 26, 2023 at 4:37 PM Christophe PEREZ <ch...@novazur.fr> wrote: > First, thanks for your answer. > > Le Thu, 26 Oct 2023 09:10:33 +0100, Norman and Audrey Henderson a écrit : > > > Hi, the one message you included is a normal response message from your > > web server to the client. The client (some random user on the Internet) > > has made a request with destination port 443 and a random source port, > > 37615. > > Apache replied with source port 443 and destination port 37615, that is > > completely normal. > > Ok. > > > With such limited information we can't see why there is a REJECT, plus > > you say the web server is working fine, so there is something else going > > on. > > I understand. > > > Some comments: > > (1) It's recommended to use HTTP(ACCEPT) and HTTPS(ACCEPT) rather than > > Web(ACCEPT) which just combines the two. > > I don't understand why Web exist so, if not recommanded to use it. > I replaced Web by HTTP and HTTPS lines, and of course, nothing changed. > > > (2) You only need rules for the incoming traffic. I think they should be > > HTTPS(ACCEPT) net $FW and HTTP(ACCEPT) net $FW ($FW refers to the > > firewall zone). > > I have zones: > fw firewall > net ipv4 > sshok:net ipv4 dynamic_shared > > In rules, should I use fw or $FW or nevermind ? > It seems that changing fw to $FW didn't change anything. > > > (3) Return traffic from the web server to the client is automatically > > permitted because of "connection tracking" - it's an established TCP > > connection. You may have some other rule that is blocking that (but > > then, > > the web server would not be working from the client's viewpoint). > > interfaces: > ?FORMAT 2 > net eth0 > > hosts: > sshok eth0:dynamic > > policy: > sshok all CONTINUE > all sshok CONTINUE > net all DROP info > all all REJECT info > > > > (4) To see what's actually happening you can do an iptrace: > > > > First make sure that logging is enabled in iptables (might be different > > depending on your distro): > > sudo modprobe nf_log_ipv4 > > sudo sysctl net.netfilter.nf_log.2=nf_log_ipv4 > > Not actually in my kernel > # grep -i log_ipv4 /usr/src/linux/.config > # CONFIG_NF_LOG_IPV4 is not set > > I'll have to recompile it with and reboot. I'll do it a bit later. > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users