Ok I found the culprit,
I changed a rule: from DNAT  net  dmz:10.10.10.102  tcp 80,443 to
DNAT net  dmz:10.10.10.102  tcp  80,443  -   94.23.244.210

And now all is working! Thanks Tom for this wonderful firewall and for the help you give.

Sincerely,
Selvam Matthys

2010/3/23 Selvam Matthys <selvam.matthys@gmail.com>
Thanks you for the solution! I will read this faq!
I can connect to my machine now :-)) i'm so glad. Butt for some strange reason, i can't get on the internet from this machine when Shorewall is on. I can do dns lookups, and tracert and ping from that machine to the internet, butt can't browse the internet. The worst thing is that there is nothing in the log to show me where the problem reside. The only thing I get now is this: Thats strange because there is a rule that says accept from net to dmz:10.10.10.102 80,443
Now when I open the browser(on the machine with the second ip 94.23.154.41) I always see my webserver default webpage on 10.10.10.102.
Strange,

Sincerely,
Selvam Matthys

Shorewall:net2dmz:DROP:IN=vmbr0 OUT=venet0 PHYSIN=eth0 SRC=83.195.155.26 DST=10.10.10.102 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=21435 DF PROTO=TCP SPT=2084 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

2010/3/23 Tom Eastep <teastep@shorewall.net>
Selvam Matthys wrote:
> Ok, i'm sorry for not answering last mail, butt I changed my hole config.
>
> So what I did now: two public ip's on my vmbro that is bridged on eth0.
> So my fw gets 94.23.244.210 my dmz is 10.10.10.0/24
> <http://10.10.10.0/24> and I have one kvm machine connected on vmbr0
> with ip 94.23.154.41.
> The thing is that when I activate my Shorewall, I cant get on the
> internet anymore with this kvm machine. and get this message in the log:
>
> Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0 PHYSOUT=eth0 SRC=94.23.154.41 DST=94.23.154.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=4338 PROTO=ICMP TYPE=8 CODE=0 ID=34450 SEQ=25345
>
>
> so when I disable Shorewall, my two public ip's work good, butt when
> enabled, my second ip stops working. when I ping to my second ip I get
> answer back from my main ip 94.23.244.210 that tell's me destination
> host unreachable.
> I will answer much faster this time, i'm not changing my config anymore.

You have neglected to set the 'routeback' option on vmbr0. See Shorewall FAQ 17.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users