From: <ko...@su...> - 2006-11-10 17:42:09
|
That did the trick! Many, many thanks. FTP Doesn't work unless it's passive - but as I understand it the FTP macro should handle active ftp - so it's probable something to do with the firewall sandwich that the shorewall instance is in the middle of. Again, many thanks.. Bill On Fri, 10 Nov 2006, Tom Eastep wrote: > ko...@su... wrote: >> Hopefully this hasn't been asked a number of times.. I did some searching, >> and didn't come up with anything initially. > > This is actually Shorewall FAQ #2 but it is disguised enough that you probably > didn't recognize it. > >> >> Here is my info (modified sightly to make safe to broadcast): > > So you believe in "security by obscurity"... > >> Masq: (not sure if this is necessary..) >> eth0 0.0.0.0/0 175.31.30.10 > > It *is* necessary. > >> >> When I try to ftp to the box from the outside (72.36.210.44), the >> connection is refused, and the following is in the log: >> >> Nov 10 16:25:17 revproxy kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 >> SRC=72.36.210.44 DST=10.111.46.4 LEN=60 TOS=0x10 PREC=0x00 TTL=48 >> ID=61493 DF PROTO=TCP SPT=51483 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0A > > From the answer to Shorewall FAQ 17 (Why are these packets being > Dropped/Rejected?/How do I decode Shorewall log messages?): > > If the chain is FORWARD and the IN and OUT interfaces are the same, then > you probably need the 'routeback' option on that interface in > /etc/shorewall/interfaces or you need the 'routeback' option in the > relevant entry in /etc/shorewall/hosts. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ te...@sh... > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > |