<p><br /><br /> <br /><br /><strong>On Thu Oct 4 0:02 , Costa Tsaousis sent:<br /><br /></strong><blockquote style="border-left: 2px solid rgb(245, 245, 245); margin-left: 5px; margin-right: 0px; padding-left: 5px; padding-right: 0px;">O/H <a href="javascript:top.opencompose('rich@thevillas.eclipse.co.uk','','','')">rich@thevillas.eclipse.co.uk</a> Ýγραψε:<br />
><br />
> Interestingly, I can't seem to ssh to the external address of the <br />
> firewall from the LAN either. I'm wondering whether there is a rule <br />
> that is dropping all traffic hitting the PUBLIC_MYIP if it originates <br />
> from the LAN?<br />
><br />
If firehol is dropping traffic there should be some logs about it. Check it.<br />
<br />
You could also append<br />
<br />
... log "text to be logged"<br />
<br />
to the dnat and snat rules (or any other). This will make the rule log <br />
the "text to be logged" when a packet matches it.<br />
</blockquote></p><blockquote style="border-left: 2px solid rgb(245, 245, 245); margin-left: 5px; margin-right: 0px; padding-left: 5px; padding-right: 0px;" /><p> thanks. So, ive' taken a reverse approach with looking at the logs.</p><p>i have a snat rule:<br /></p><p><br /> snat to "${HOME_MYIP}" \<br /> outface "${HOME_MYIF}" \<br /> src "${HOME_LAN}" dst "${WEBSERVER}" log "websnatted" level 7 <br /></p><p>Nothing gets logged. The other snat rule for all general traffic going out logs fine:</p><p> snat to "${PUBLIC_MYIP}" \<br /> outface "${PUBLIC_MYIF}" \<br /> src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}" log "snatted" level 7</p><p> </p><p>So, moving on to dnat:</p><p> dnat to ${WEBSERVER}:80 \<br /> inface "${PUBLIC_MYIF}" \<br /> src not "${UNROUTABLE_IPS}" \<br /> proto tcp dport 80 log "webdnatted" level 7</p><p> This doesn't log if the traffic is coming from the lan.<br /></p><p>I thought the next section causing the problem could be:</p><p># Protect us from the HOME LAN<br />interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP} ${HOME_BCAST}" log "lanprotect" level 7<br /> policy reject<br /> <br /> server "${HOME_SERVICES}" accept<br /> <br /> client all accept<br /><br /><br /> This logs when i try to connect to the firewall external ${PUBLIC_MYIP} with ssh but not http.</p><p>The only other section i think could be causing the problem is below but nothing gets logged for these rules for traffic from the LAN<br /></p><p> </p><p> # Protect us from the PUBLIC<br />interface "${PUBLIC_MYIF}" internet \<br /> src not "${UNROUTABLE_IPS}" \<br /> `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"` log "publicprotect" level 7<br /> <br /> protection strong<br /> policy drop<br /> <br /> # Are there any trusted PCs/services?<br /> if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]<br /> then<br /> server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"<br /> fi<br /> <br /> server "${PUBLIC_SERVICES}" accept<br /> <br /> client all accept</p><p> </p><p>Thanks again,</p><p>Rich </p><p><blockquote style="border-left: 2px solid rgb(245, 245, 245); margin-left: 5px; margin-right: 0px; padding-left: 5px; padding-right: 0px;">
You can also do:<br />
<br />
firehol status<br />
<br />
In the output the first column is a packet counter. You should this <br />
increasing for each packet matching the rule.<br />
<br />
Costa<br />
<br />
</blockquote>
</p><BR>