On 04/01/2016 03:55 PM, Thomas Schneider wrote: > Hi Tom, > > I think there's some big progress on this. > After changing configuration /etc/shorewall/masq as recommended by your > I can find this entry in dump: > Chain POSTROUTING (policy ACCEPT 79 packets, 5548 bytes) > pkts bytes target prot opt in out source > destination$ > 2 168 SNAT all -- * eth0 10.0.0.0/24 > 0.0.0.0/0 $ > > > > However, there's still some issues. > 1) > In network 10.0.0.0/24, I can ping 10.0.0.1, 217.8.50.65, 130.89.148.12, > but not any URL. > root@vm111-rose:~# ping www.google.de > ping: unknown host www.google.de > > Unfortunately apt update does not work, too.
Where is the DNS server that these hosts are configured to use (which zone)? If it is in the 'net' zone, then you need: DNS(ACCEPT) loc net DNS(ACCEPT) dmz net > > 2) > In network 10.1.0.0/24 (= DMZ), I can neither ping 10.1.0.1, > 217.8.50.65, 130.89.148.12, nor any URL. > Unfortunately apt update does not work, too. You need: Ping(ACCEPT) dmz $FW Ping(ACCEPT) dmz net > > I assume issue 1) is related to missing DNS, and issue 2) is related to > any firewall rules + missing DNS. But I intended to allow access to > Debian-Update-Servers for clients in DMZ. You clearly also need an SNAT rule for 10.1.0.0/24 also. Or change your current rule to specify 10.0.0.0/8 instead of 10.0.0.0/24. For APT, assuming that you have specified 'http://...' for your sources in /etc/apt/source.list, then you need: HTTP(ACCEPT) loc net HTTP(ACCEPT) dmz net If you have specified 'ftp://...', then you need FTP(ACCEPT) loc net FTP(ACCEPT) dmz net > > I have attached the latest dump file. > Could you please check what is the root cause for these issues? > > THX for your great support! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
