Re: [Shorewall-users] DNAT issues after upgrade from 1.3.9b to 4.4.27.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

This email proudly send through my new firewall!
thanks everyone for your help, it was key to resolving the issue.
turns out the problem was user error.  a cable was mislabeled and i was 
in fact unplugging the web server and plugging the new firewall's DMZ 
interface in it's place.  explains why all the interfaces and MAC 
addresses looked right to me, i was just missing one clue that i finally 
saw today - the mac address shown for the DMZ interface on the web 
server was showing up as (incomplete), not an actual address.  once i 
started pinging different interfaces from other servers i realized what 
the problem was.

So thanks again for everyone's quick answers, and sorry to have taken 
your time with user error.  i was truly at my wit's end with this and i 
could not have figured it out without the confirmation that i had 
shorewall configured correctly and a weekend away from computers to give 
me a fresh start today.

Sam

Tom Eastep wroteOn 5/22/2012 12:20 PM:
> On 05/22/2012 08:08 AM, Sam Cappello wrote:
>
>>      connection request is reaching the firewall and is being redirected
>>      to the server. In this case, the problem is usually a missing or
>>      incorrect default gateway setting on the local system (the system
>>      you are trying to forward to -- its default gateway must be the IP
>>      address of the firewall's interface to that system unless you use
>>      the hack described in FAQ 1f
>>      <http://www.shorewall.net/FAQ.htm#faq1f>).<sam>  default gw is set
>>      to firewall
>>          conntrack table shows [UNREPLIED] ex. tcp 6 77 SYN_SENT
>>          src=198.152.13.67 dst=24.129.159.12 sport=51395 dport=80
>>          packets=1 bytes=60 [UNREPLIED] src=172.16.90.36
>>          dst=198.152.13.67 sport=80 dport=51395 packets=0 bytes=0 mark=0
>>          use=2
>>
> SYN_SENT means that the firewall has sent the packet to 172.16.90.36 who
> has not responded.
>
> You need to use tcpdump on eth2:
>
> 	tcpdump -nei eth2 port 80
>
> Pay particular attention to the MAC addresses of the SYNs being sent to
> 172.16.90.36 and the SYN,ACKs being returned to the client. While you
> stated that you power-cycled the switches, the server itself can have
> the same issue when you swap default routers.
>
> -Tom