[Shorewall-newbies] Masq not working.

Harding, Tyson tharding at ball.com
Thu Jan 15 14:17:16 PST 2004


I have not seen Shorewall log anything to the syslog indicating it is blocking the packets, but I see packets coming back from the web server from port 80 to the firewall server.

If I am using and reading the tcpdump correctly then the packet requests are going out masqueraded. The response is coming back to the firewalls external interface, and that is were it ends. The web server looks like it retries a few times, then stops.

When running tcpdump, I am filtering just port 80 transactions (tcpdump -i eth0 port 80). If I need to look for other packets let me know, and I can rerun the test. If I should look at all packets I will have to wait to get home so I can run the command locally instead of via ssh.

Tyson

-----Original Message-----
From: Tom Eastep [mailto:teastep at shorewall.net]
Sent: Thursday, January 15, 2004 2:01 PM
To: Harding, Tyson; shorewall-newbies at lists.shorewall.net
Subject: Re: [Shorewall-newbies] Masq not working.


On Thursday 15 January 2004 12:54 pm, Harding, Tyson wrote:
> I have just installed shorewall 1.4.9, and setup everything according to
> the two-interface documentation. The firewall is working, and I am able to
> block, and open the ports that I want. The only part that is not working is
> the Masq.
>
> I have a cable modem with a dynamic IP address. From the firewall I can get
> out to the internet, and can connect to the computers on my loc network.
> The computers on the loc network are able to ping machines on the internet,
> but they cannot connect to them. Using tcpdump on the firewall machine, and
> watching the external interface (eth0) I can see that the requests are
> going out to the web server, but the firewall is not letting them back in.

So you see the replies coming back and then Shorewall is logging and blocking 
them? I doubt that.

Are the requests that you see going out masqueraded (that is, is the source 
address in the packets the same as the IP address of your firewall's external 
interface)?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list