Finaly I got it working. I reinstalled the whole thing, configured shorewall and tried to make the connection. It worked!!! Then I continued to configure my server and after adding some tcrules and tcclassess the same thing happened. Does ip_mark have some problem with fragmented packets? Anyway, if anybody will have this problem try without traffic shaping.
--- Tom Eastep <[EMAIL PROTECTED]> wrote: > Tom Eastep wrote: > > renyi zsolt wrote: > >> I already tried that and didn't work. I tried > >> inserting rules before shorewall's rules to > ACCEPT > >> every connection from 80.96.3.4 to which I try to > >> connect and I also tried SNAT-ing all traffic > from the > >> host I am connecting. I have an older firewall > >> (firehol, I decided to change it to shorewall) > and on > >> that only udp dpt:2746 and udp:500 are nat-ed and > it > >> works on that. With shorewall no matter what I > try the > >> vpn gateway returns 2 fragmented udp packets > which are > >> Dropped somewhere. > >> > >> Here is a tcpdump output on my external > interface: > >> 17:37:27.241183 IP (tos 0x20, ttl 58, id 28157, > offset > >> 1480, flags [+, DF], proto: UDP (17), length: > 1500) > >> yyy > xxx: udp > >> 17:37:27.241202 IP (tos 0x20, ttl 58, id 28157, > offset > >> 2960, flags [DF], proto: UDP (17), length: 184) > yyy > > >> xxx udp > >> > > > > They are dropped because they are the 2nd and 3rd > fragments of 3. The first > > fragment (offset 0) is missing? > > > > One thing you might try -- rename the ipt_policy.so > file in the iptables lib > directory (usually in /lib/iptables/) and restart > Shorewall. There are known > problems with policy match and bridges but I hadn't > heard of any of those > problems relating to fragments. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support > web services, security? > Get stuff done quickly with pre-integrated > technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 > based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
