[Shorewall-users] Re: New Firewall Problem

Randy Millis randy.millis@telusplanet.net
Sun, 21 Jul 2002 09:19:37 -0700 (PDT)


Resolved most of the issue.

ISP said there are weird issues with the "new"
205.206.xx.xx IP block.

Would still like to know about how to open the ports

--- Randy Millis <rmillis@yahoo.com> wrote:
> Ok, I am typing this all again as I lost my original
> message...:-(
> 
> I have a number of pieces of a mystery on my hands
> and
> hope someone can help me analyze all this and find a
> solution:
> 
> I just built a new shorewall firewall on a P120
> running RedHat 7.3, Kernel 2.4.18-5 with shorewall
> 1.3.4.
> 
> I can connect to our local library catalog from work
> great and can retrieve and send info to this Dynix
> Java based system (send is needed to place holds on
> material etc).
> 
> From home with my old shorewall firewall I was off
> and
> on able to send to it and never got time to look
> into
> it until now. 
> 
> The old firewall was a 486 with RedHat 7.1, Kernel
> 2.4.9-34 running shorewall 1.2.8.
> 
> The FAQ for the library catalog says to "Ask your
> computer people to open firewall ports TCP/9090,
> TCP/5050 in addition to the regular port TCP/80 that
> will already be open so you can visit the Internet .
> 
> 
> The Catalogue is a software product which works from
> a
> specific port." How can I do this in shorewall and
> are
> there any risks doing so? Is this maybe why it
> worked
> sometimes and not others?
> 
> With the new firewall I can't even get to the site:
> 
> If I traceroute from work I get this and all works
> perfectly:
> 
> -cut-
> U:>tracert calgarypubliclibrary.com
> 
> Tracing route to calgarypubliclibrary.com
> [207.34.115.132]
> over a maximum of 30 hops:
> 
>   1   <10 ms   <10 ms   <10 ms 
> locutus.enel.ucalgary.ca [136.159.102.1]
>   2   <10 ms   <10 ms   <10 ms  192.168.102.1
>   3   <10 ms   <10 ms   <10 ms  192.168.47.1
>   4   <10 ms   <10 ms   <10 ms  192.168.3.25
>   5   <10 ms   <10 ms   <10 ms 
> clgrabezdr01.bb.telus.com [205.233.111.65]
>   6   <10 ms   <10 ms    16 ms  192.168.10.43
>   7    63 ms   <10 ms    16 ms 
> www.calgarypubliclibrary.com [207.34.115.132]
> 
> Trace complete.
> -cut-
> 
> From Home with the old ffirewallmy trace mostly
> works
> and the site loads and the catalog works off and on
> two way (as noted above):
> 
> -cut-
> u:>tracert calgarypubliclibrary.com
> 
> Tracing route to calgarypubliclibrary.com
> [207.34.115.132]
> over a maximum of 30 hops:
> 
>   1    21 ms     1 ms     1 ms  192.168.0.254
>   2    14 ms    13 ms     *    
> clgrab46ar02.ab.tac.net [209.115.152.19]
>   3    14 ms    13 ms    14 ms 
> clgrab01dr00.bb.telus.com [209.115.152.72]
>   4    14 ms    13 ms    14 ms 
> clgrabezdr01.bb.telus.com [208.38.16.129]
>   5     *        *        *     Request timed out.
>   6    24 ms    66 ms    38 ms 
> www.calgarypubliclibrary.com [207.34.115.132]
> 
> Trace complete.
> -cut-
> 
> With the new fifirewally trace looks like this:
> 
> -cut-
> u:>tracert calgarypubliclibrary.com
> 
> Tracing route to calgarypubliclibrary.com
> [207.34.115.132]
> over a maximum of 30 hops:
> 
>   1    <1 ms    <1 ms    <1 ms  192.168.0.254
>   2    25 ms     *       12 ms 
> clgrab46ar02.ab.tac.net [209.115.152.19]
>   3    12 ms    13 ms    12 ms 
> clgrabezdr00.bb.telus.com [209.115.223.167]
>   4    13 ms    12 ms    13 ms 
> clgrabezdr01.bb.telus.com [208.38.16.129]
>   5    14 ms    14 ms    14 ms  192.168.10.43
> 6     *        *        *     Request timed out.
> 7     *        *        *     Request timed out.
> 8
> etc, etc, with the timouts...
> 
> -cut-
> 
> With a browser I can not connect to the catalog or
> the
> site. Squid teltell:
> 
> -cut-
> ERROR
> The requested URL could not be retrieved
> 
>
--------------------------------------------------------------------------------
> 
> While trying to retrieve the URL:
> http://calgarypubliclibrary.com/ 
> 
> The following error was encountered: 
> 
> Zero Sized Reply 
> Squid did not receive any data for this request. 
> 
>
--------------------------------------------------------------------------------
> -cut-
> 
> If I had norfc1918 turned on for eth0 on my trace
> stopped at hop 4. 
> 
> By accident I noticed if I telnet to
> calgarypubliclibrary.com I get a banner:
> 
> -cut-
> Raptor Firewall Secure Gateway.
> 
> Hostname:
> -cut-
> 
> One thing I just noticed is the old firewall gets an
> IP of 142.173.131.108 and the new box gets an IP of
> 205.206.96.221.
> 
> Well hop somsomeonen help me fix this.
> 
> 
> 
> 
> 
> =====
> Randy Millis 
> Calgary, Alberta 
> Canada 
> E-mail: randy.millis@telusplanet.net
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> 


=====
Randy Millis 
Calgary, Alberta 
Canada 
E-mail: randy.millis@telusplanet.net

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com