On Thursday 26 September 2002 12:55 am, Tom Eastep wrote: > > Sep 25 17:15:46 flg2 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > > MAC=00:a0:cc:60:3c:2d:00:4f:4e:09:27:4b:08:00 SRC=24.208.187.129 > > DST=<POPTOP IP> LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=36117 DF PROTO=47 > > > > The "GRE: xmit failed from decaps_hdlc" bit is new, as is the Shorewall > > hit -- I've never seen a PPTP client get caught in the packet filters > > before. > > > > Both LEAF and the Poptop server have the following entries in > > /etc/shorewall/rules: ACCEPT net FW 47 - > > ACCEPT net FW tcp 1723 > > ACCEPT FW net 47 - > > ACCEPT FW net tcp 1723 > > > > Where should I start diagnosing this? > > Find out why > > ACCEPT net FW 47 - > > doesn't give you an error since the firewall zone is 'fw' (not FW). > Seriously: If eth0 is your internet interface then you CAN'T have an > ACCEPT rule for net->fw for protocol 47 and still be seeing the Shorewall > messages you show above...
Sorry for the laziness. On the Poptop server, the relevant block of rules is: ACCEPT $FW net 47 - ACCEPT $FW net tcp 1723 ACCEPT net $FW 47 - ACCEPT net $FW tcp 1723 I'm not near the LEAF box, but if memory serves, the rules there use "fw" instead of "$FW". The Windows-based PPTP clients have not reported any trouble connecting, and the logs don't show any sign of difficulty for anything other than this LEAF PPTP client. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
