Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

Wed, 18 Mar 2020 11:03:55 -0700 




-----Original Message----- 
From: Tom Eastep

Sent: Wednesday, March 18, 2020 7:03 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

On 3/17/2020 11:24 PM, Andrey Andreev wrote:
__


Here is the output, no IPs in it to hide:

[root@server ~]# shorewall check -T
Checking using Shorewall 5.2.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/snat...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /etc/shorewall/conntrack...
Checking /etc/shorewall/tunnels...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Shorewall configuration verified


Was that output obtained with the failing SNAT line in the snat file?



[root@server ~]# shorewall version
5.2.2

In /etc/shorewall/snat  line#2:

SNAT(!9.9.9.9)  12.12.12.12/29 enp2s0

is hashed, shorewall does not start with it.
I feel I miss something. The documentation deals with old versions of
linux kernel while Fedora is updating very often.
I will provide any other info which might be needed.
Thanks for Your response.


I need to see the actual error message that you are getting (in context).

-Tom
--
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                     \________________________________________



As I have explained, shorewall does not start with this line in SNAT 
unhashed. The error shown with 'systemctl shorewall status' after 
unsuccessful shorewall restart is something like:
.... cannot start, unrecognized record in /etc/shorewall/snat line #...  The 
record was even listed: SNAT(!==IP==).
I am afraid to repeat this situation again as the connection may die out and 
I should run to the place to fix it.



IPSec tunnel is working, I presume, in 'ipsec whack --status' connection 
list shows:

  Total IPsec connections: loaded 1, active 1
The tunnel is not routed to the LAN IP range however.

Andrey








_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to