On March 29, 2018 1:17 PM, Tom Eastep <teas...@shorewall.net> wrote:
> > > On 03/29/2018 11:59 AM, colony.three--- via Shorewall-users wrote: > > > I don't understand why my ping through IPSec VPN is being rejected? > > > > When I 'shorewall clear', it pings. > > > > [138450.833070] Shorewall:INPUT:REJECT:IN=eth0 OUT= > > > > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 > > > > DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44281 DF PROTO=ICMP > > > > TYPE=8 CODE=0 ID=10 SEQ=48 > > > > [138450.833140] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 > > > > DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=32617 PROTO=ICMP > > > > TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 > > > > PREC=0x00 TTL=64 ID=44281 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=48 ] > > > > [138451.840340] Shorewall:INPUT:REJECT:IN=eth0 OUT= > > > > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 > > > > DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44409 DF PROTO=ICMP > > > > TYPE=8 CODE=0 ID=10 SEQ=49 > > > > [138451.840413] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 > > > > DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33142 PROTO=ICMP > > > > TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 > > > > PREC=0x00 TTL=64 ID=44409 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=49 ] > > > > [138453.080442] Shorewall:INPUT:REJECT:IN=eth0 OUT= > > > > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 > > > > DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44493 DF PROTO=ICMP > > > > TYPE=8 CODE=0 ID=10 SEQ=50 > > > > [138453.080539] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 > > > > DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33370 PROTO=ICMP > > > > TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 > > > > PREC=0x00 TTL=64 ID=44493 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=50 ] > > > > [138453.821013] Shorewall:INPUT:REJECT:IN=eth0 OUT= > > > > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 > > > > DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44587 DF PROTO=ICMP > > > > TYPE=8 CODE=0 ID=10 SEQ=51 > > > > [138453.821035] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 > > > > DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33962 PROTO=ICMP > > > > TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 > > > > PREC=0x00 TTL=64 ID=44587 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=51 ] > > > > [138454.832916] Shorewall:INPUT:REJECT:IN=eth0 OUT= > > > > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 > > > > DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44703 DF PROTO=ICMP > > > > TYPE=8 CODE=0 ID=10 SEQ=52 > > > > [138454.832981] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 > > > > DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=34910 PROTO=ICMP > > > > TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 > > > > PREC=0x00 TTL=64 ID=44703 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=52 ] > > > > Current Shorewall. > > > > Ping(ACCEPT) $FW net icmp 3,echo-request > > > > Ping(ACCEPT) $FW vpn icmp 3,echo-request > > > > Ping(ACCEPT) net:192.168.1.0/24 $FW icmp 3,echo-request > > > > Ping(ACCEPT) vpn $FW icmp 3,echo-request > > As always, when packets are rejected in the INPUT or OUTPUT chains, it > > indicates that the SOURCE or DEST addresses respectively are not in any > > defined zone. See Shorewall FAQ 17. > > The above rules are overkill. You simply need: > > Ping(ACCEPT) $FW net > > Ping(ACCEPT) $FW vpn > > Ping(ACCEPT) net:192.168.1.0/24 $FW > > Ping(ACCEPT) vpn $FW > > -Tom I should have thought. But here's my zones file: fw firewall net ipv4 vpn ipsec And interfaces: - lo ignore net eth0 routefilter,dhcp,tcpflags And policy: $FW all REJECT info(uid) net all DROP info(uid) vpn all DROP info(uid) #local all REJECT info(uid) all all REJECT info(uid) Thanks, I'll make the corrections to my Ping macros. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
