From: Sam C. <sa...@or...> - 2012-05-29 17:30:10
|
This email proudly send through my new firewall! thanks everyone for your help, it was key to resolving the issue. turns out the problem was user error. a cable was mislabeled and i was in fact unplugging the web server and plugging the new firewall's DMZ interface in it's place. explains why all the interfaces and MAC addresses looked right to me, i was just missing one clue that i finally saw today - the mac address shown for the DMZ interface on the web server was showing up as (incomplete), not an actual address. once i started pinging different interfaces from other servers i realized what the problem was. So thanks again for everyone's quick answers, and sorry to have taken your time with user error. i was truly at my wit's end with this and i could not have figured it out without the confirmation that i had shorewall configured correctly and a weekend away from computers to give me a fresh start today. Sam Tom Eastep wroteOn 5/22/2012 12:20 PM: > On 05/22/2012 08:08 AM, Sam Cappello wrote: > >> connection request is reaching the firewall and is being redirected >> to the server. In this case, the problem is usually a missing or >> incorrect default gateway setting on the local system (the system >> you are trying to forward to -- its default gateway must be the IP >> address of the firewall's interface to that system unless you use >> the hack described in FAQ 1f >> <http://www.shorewall.net/FAQ.htm#faq1f>).<sam> default gw is set >> to firewall >> conntrack table shows [UNREPLIED] ex. tcp 6 77 SYN_SENT >> src=198.152.13.67 dst=24.129.159.12 sport=51395 dport=80 >> packets=1 bytes=60 [UNREPLIED] src=172.16.90.36 >> dst=198.152.13.67 sport=80 dport=51395 packets=0 bytes=0 mark=0 >> use=2 >> > SYN_SENT means that the firewall has sent the packet to 172.16.90.36 who > has not responded. > > You need to use tcpdump on eth2: > > tcpdump -nei eth2 port 80 > > Pay particular attention to the MAC addresses of the SYNs being sent to > 172.16.90.36 and the SYN,ACKs being returned to the client. While you > stated that you power-cycled the switches, the server itself can have > the same issue when you swap default routers. > > -Tom |