Hi,
any client in loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) show this DNS
configuration:
root@vm104-mail:~# cat /etc/resolv.conf
# --- BEGIN PVE ---
nameserver 78.42.43.41
nameserver 82.212.62.41
# --- END PVE ---
These DNS servers are in net.
I have defined these rules to permit access to Debian update servers:
## Permit Debian Update access
ACCEPT dmz net:130.89.148.12 tcp http
ACCEPT dmz net:195.20.242.89 tcp http
ACCEPT dmz net:87.230.23.19 tcp http
ACCEPT dmz net:198.199.77.106 tcp http
ACCEPT dmz net:134.109.228.1 tcp http
ACCEPT dmz net:212.211.132.250 tcp http
ACCEPT dmz net:129.143.116.113 tcp http
I have defined these rules to permit access to DNS servers:
## Permit DNS access
DNS(ACCEPT) loc,dmz net
DNS(ACCEPT) $FW net
But name resolution fails from loc and dmz; there are no issues on
firewall host.
Why do you recommend to add another SNAT rulle for 10.1.0.0/24?
I cannot find anything similar in guide
<http://www.shorewall.net/MultiISP.html> " Shorewall and Multiple
Internet Connections".
Regards
Thomas
Am 02.04.2016 um 16:47 schrieb Tom Eastep:
On 04/01/2016 03:55 PM, Thomas Schneider wrote:
Hi Tom,
I think there's some big progress on this.
After changing configuration /etc/shorewall/masq as recommended by your
I can find this entry in dump:
Chain POSTROUTING (policy ACCEPT 79 packets, 5548 bytes)
pkts bytes target prot opt in out source
destination$
2 168 SNAT all -- * eth0 10.0.0.0/24
0.0.0.0/0 $
However, there's still some issues.
1)
In network 10.0.0.0/24, I can ping 10.0.0.1, 217.8.50.65, 130.89.148.12,
but not any URL.
root@vm111-rose:~# ping www.google.de
ping: unknown host www.google.de
Unfortunately apt update does not work, too.
Where is the DNS server that these hosts are configured to use (which
zone)? If it is in the 'net' zone, then you need:
DNS(ACCEPT) loc net
DNS(ACCEPT) dmz net
2)
In network 10.1.0.0/24 (= DMZ), I can neither ping 10.1.0.1,
217.8.50.65, 130.89.148.12, nor any URL.
Unfortunately apt update does not work, too.
You need:
Ping(ACCEPT) dmz $FW
Ping(ACCEPT) dmz net
I assume issue 1) is related to missing DNS, and issue 2) is related to
any firewall rules + missing DNS. But I intended to allow access to
Debian-Update-Servers for clients in DMZ.
You clearly also need an SNAT rule for 10.1.0.0/24 also. Or change your
current rule to specify 10.0.0.0/8 instead of 10.0.0.0/24.
For APT, assuming that you have specified 'http://...' for your sources
in /etc/apt/source.list, then you need:
HTTP(ACCEPT) loc net
HTTP(ACCEPT) dmz net
If you have specified 'ftp://...', then you need
FTP(ACCEPT) loc net
FTP(ACCEPT) dmz net
I have attached the latest dump file.
Could you please check what is the root cause for these issues?
THX for your great support!
-Tom
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
