Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 423 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

425 new install 7.504 problems routing

derbaron
Hi!

With all ids on i got many of this:

What rule is it?

2010:03:16-18:09:40 astaro-ext1-1 ulogd[29574]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth0" outitf="eth1" dstmac="00:1a:8c:f0[:D]5:c0" srcmac="00:13:21:78:b3:e1" srcip="x" dstip="x" proto="6" length="41" tos="0x00" prec="0x00" ttl="126" srcport="41769" dstport="80" tcpflags="ACK" 
2010:03:16-18:09:40 astaro-ext1-1 ulogd[29574]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth0" outitf="eth1" dstmac="00:1a:8c:f0[:D]5:c0" srcmac="00:13:21:78:b3:e1" srcip="x" dstip="x" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="42012" dstport="80" tcpflags="SYN" 



thanks!


This thread was automatically locked due to age.
Parents
  • 0
    So, your DMZ is populated solely with public IPs, masquerading is not set for it, you have a public IP for 'DMZ (Address)' that is different from the IP of the webserver and the netmask on the DMZ Interface is correct. If that's the case, then do you have a packet filter rule as follows?

    Internet -> HTTP -> DMZ (Network) : Allow


    I think the Astaro creates the necessary routing table entries, so I don't think you have to define anything.  You can check that in 'Support >> Advanced' 'Routes Table'.

    Normally, we put private addresses in the DMZ, create 'Additional Addresses' with the public IPs on the External interface and then DNAT incoming traffic from the public to the private IPs.  If you already have a lot of public IPs in your DMZ, I can understand how doing that might be too much to change.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    thanks

    this rule is obvioulsy there
    its a customers system so we cannot change that architecture there.
    i will check this when i am next time there and disable the IPS. this was not possible first time we migrated (no time) .. so we moved back to the old system (Novell SEC A V 6.3)
Reply
  • 0 in reply to BAlfson
    thanks

    this rule is obvioulsy there
    its a customers system so we cannot change that architecture there.
    i will check this when i am next time there and disable the IPS. this was not possible first time we migrated (no time) .. so we moved back to the old system (Novell SEC A V 6.3)
Children
No Data
Cookie Information Banner