Re: [Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/23/2017 4:52 PM, Colony.three via Shorewall-users wrote: > I don't understand this: > > [184624.505739] Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10959 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184627.506014] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10960 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184630.506281] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10961 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184633.506518] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10962 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184636.506136] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10963 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184639.506758] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10964 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184642.505948] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10965 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [189767.312541] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46913 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189769.362835] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46914 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189772.174498] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46915 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189776.045296] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46916 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189781.611542] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46917 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 > > > > > ... when policy has: $FW all REJECT info(uid) net > all DROPinfo(uid) vpn all DROP > info(uid) #local all REJECT info(uid) all all > REJECT info(uid) > > > ... and rules has: # VPN ACCEPT vpn $FW udp > 500,ipsec-nat-t - ACCEPT net $FW udp 500,ipsec-nat-t > - > > > In interfaces I only have: - lo ignore net > eth0 tcpflags,nosmurfs,sourceroute=0 > > ... with no vpn. Could this be the problem? > > And I don't understand why it is that in rules when I specify the > port as isakmp (rather than 500), it gets blocked? Same reason, > whatever it is? > > Well, the dropped packets are destined from the 'net' zone to the 'fw' zone, so they should have been accepted by your second ACCEPT rule above . But as http://www.shorewall.org/support.htm#guidelines described, and as I have repeated hundreds of times on this list when you have a connection problem, I want to see the output of 'shorewall dump' collected as described in that article; together with the other information listed in that article. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJaPzTGAAoJEJbms/JCOk0Qw4sP/j0VXGnRQBPAfBv7hi4MhvDD 8XfjIbgnlHMtBukjdt6A5EsStd9y+42OkVX9Ls/AESvIIvtY2P9RXBritWkNoabr Kh6EINucqQHhqXjO2uiVE3p8ghZkQZxacxS3t4lioglktlO3m81FZgIdqBkI7cLZ wwDY/Yi6OTgGUcQZ88C9Oev9z1J8V6eQ6hpH1LpiLtYbLayIe1RXtQT+86E2AcCK py3V4QrugF1mjqAv8wSmvNUrDPk0Lai6tn+9LaCQr3iWlguFvrJ/5v3MTsvZu4ks Mt9IG727Bbals6wyg6rQTVFI7DS+4aWk4rEPa/oCMQ4i6kHKpo6pSYMc2XQF4mBr OkgO3VjU5imi0hZSYK6CXTUbufN6Fj2qEtPZf+LD5hSL+YiLoiVJjzFLQioivmf8 nd+pkjdwhil2RvuJX6odhJUjV7BlM230XyfuOFg4czc2iJLN1pOeO7X/Y+/OJdib S1AuR9wJRUg/k7vS6XYNLT8WAWd2oLNpfawp146PM1wmS2SfJ0bvadOYJSC+BgMt UTBdByiD5wHF/Q6JP2U2c5prrN6Ys8JUtk0zh7rvUhfDT9ptqwun/O7CC3TiKHVB
[Shorewall-users] UDP Getting Blocked When Unblocked (StrongSwan)
I don't understand this: [184624.505739] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10959 PROTO=UDP SPT=1024 DPT=500 LEN=388 [184627.506014] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10960 PROTO=UDP SPT=1024 DPT=500 LEN=388 [184630.506281] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10961 PROTO=UDP SPT=1024 DPT=500 LEN=388 [184633.506518] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10962 PROTO=UDP SPT=1024 DPT=500 LEN=388 [184636.506136] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10963 PROTO=UDP SPT=1024 DPT=500 LEN=388 [184639.506758] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10964 PROTO=UDP SPT=1024 DPT=500 LEN=388 [184642.505948] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10965 PROTO=UDP SPT=1024 DPT=500 LEN=388 [189767.312541] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46913 DF PROTO=UDP SPT=65138 DPT=500 LEN=712 [189769.362835] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46914 DF PROTO=UDP SPT=65138 DPT=500 LEN=712 [189772.174498] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46915 DF PROTO=UDP SPT=65138 DPT=500 LEN=712 [189776.045296] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46916 DF PROTO=UDP SPT=65138 DPT=500 LEN=712 [189781.611542] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46917 DF PROTO=UDP SPT=65138 DPT=500 LEN=712 ... when policy has: $FW all REJECT info(uid) net all DROPinfo(uid) vpn all DROPinfo(uid) #local all REJECT info(uid) all all REJECT info(uid) ... and rules has: # VPN ACCEPT vpn $FW udp 500,ipsec-nat-t - ACCEPT net $FW udp 500,ipsec-nat-t - In interfaces I only have: - lo ignore net eth0 tcpflags,nosmurfs,sourceroute=0 ... with no vpn. Could this be the problem? And I don't understand why it is that in rules when I specify the port as isakmp (rather than 500), it gets blocked? Same reason, whatever it is?-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Shorewall 5.1.10 RC 2
Shorewall 5.1.10 RC 2 is now available for testing: Problems Corrected since RC 1: 1) Most interface OPTIONS have always been ignored when the INTERFACE name is '+'. Beginning with this release, a warning is issued when an ignored option is specified with interface name '+'. Example: The 'sourceroute' option is ignored when used with interface name '+' In most cases, this issue can be worked around by a change similar to the following: Original: net + dhcp,routeback,sourceroute=0 Change to: net all dhcp,physical=+,routeback,sourceroute=0 --- -- As part of this change, interfaces that specify a wildcard physical interface name will generate a warning if any of the following options are specified: accept_ra arp_filter arp_ignore forward logmartians proxyarp proxyndp routefilter sourceroute When the warning is issued, the specified option is then ignored for the interface. Example: WARNING: The 'sourceroute' option is ignored when used with a wildcard physical name /etc/shorewall6.universal/interfaces (line 14) Thank you for testing, -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users