headers
Johannes Graumann | 3 Jun 2012 11:15
Picon

4.5.3 and apt-cacher-ng on LXC-Host

Hello,

I am running a debian testing box including shorewall 4.5.3. In the interest 
of service separation, the machine serves as the host to multiple LXC-
guests.

I have setup apt-cacher-ng on the host (listening on 3124) and added 
> ACCEPT          dmz             $FW             tcp     3124
to my rules file. I remain, however unable to connect to that port from the 
guests in the dmz and the syslog keeps showing
> Jun  3 09:57:43 h2030617 kernel: [2464058.563255]
> Shorewall:dmz2fw:REJECT:IN=br0.tun0 OUT= PHYSIN=vethYn3soH
> MAC=46:c9:96:d9:1c:49:00:ff:00:00:00:02:08:00 SRC=10.10.10.100
> DST=10.10.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43559 DF PROTO=TCP
> SPT=36124 DPT=3142 WINDOW=14600 RES=0x00 SYN URGP=0

I attach the status.txt as requested on shorewall.net. Please point out 
follies.

Sincerely, Joh
Attachment (status.txt.bz2): application/x-bzip, 6809 bytes
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
------------------------------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Paul Gear | 3 Jun 2012 11:55
Picon

Re: 4.5.3 and apt-cacher-ng on LXC-Host

On 03/06/12 19:15, Johannes Graumann wrote:
> ...
> I have setup apt-cacher-ng on the host (listening on 3124) and added 
>> ACCEPT          dmz             $FW             tcp     3124
                                                           ^^^^

> ...
>> Jun  3 09:57:43 h2030617 kernel: [2464058.563255]
>> Shorewall:dmz2fw:REJECT:IN=br0.tun0 OUT= PHYSIN=vethYn3soH
>> MAC=46:c9:96:d9:1c:49:00:ff:00:00:00:02:08:00 SRC=10.10.10.100
>> DST=10.10.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43559 DF PROTO=TCP
>> SPT=36124 DPT=3142 WINDOW=14600 RES=0x00 SYN URGP=0
             ^^^^^^^^

Note the difference in ports: 3142 vs. 3124.  You need to make your
configuration match what's actually happening.

Paul

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Johannes Graumann | 3 Jun 2012 12:19
Picon

Re: 4.5.3 and apt-cacher-ng on LXC-Host

Paul Gear wrote:

> On 03/06/12 19:15, Johannes Graumann wrote:
>> ...
>> I have setup apt-cacher-ng on the host (listening on 3124) and added
>>> ACCEPT          dmz             $FW             tcp     3124
>                                                            ^^^^
> 
>> ...
>>> Jun  3 09:57:43 h2030617 kernel: [2464058.563255]
>>> Shorewall:dmz2fw:REJECT:IN=br0.tun0 OUT= PHYSIN=vethYn3soH
>>> MAC=46:c9:96:d9:1c:49:00:ff:00:00:00:02:08:00 SRC=10.10.10.100
>>> DST=10.10.10.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43559 DF PROTO=TCP
>>> SPT=36124 DPT=3142 WINDOW=14600 RES=0x00 SYN URGP=0
>              ^^^^^^^^
> 
> Note the difference in ports: 3142 vs. 3124.  You need to make your

Thank you so much - my dyslexia strikes again. Sorry for the noise.

Joh

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |

Gmane