Hi I tested throught the ipsec tunnel a http connection and always the same error:
wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 with always PROTO=4 !!!!!! it's in this case a http connection and thus PROTO=6 but nothing with PROTO=6 in the error message. icmp is thus necessary to establish a flow througt a ipsec tunnel !? I want add iptables -A INPUT -p ! icmp -m state --state INVALID -j DROP also for OUTPUT and FORWARD chain, but shorewall does not take into account the manual changes with iptables command. Thanks VUILLET Damien ----- Original Message ----- From: "Tom Eastep" <[EMAIL PROTECTED]> To: "Shorewall Users" <[email protected]> Sent: Friday, December 22, 2006 4:49 PM Subject: Re: [Shorewall-users] shorewall + ipsec openswan > lpa du morvan wrote: > > Hi Tom > > > > Thanks for your help > > > >>> Or something.... > > > > I want to add : "DROP !icmp" in the chain INPUT, FORWARD and OUTPUT > > In which file of the shorewall then I to add these policy ? > > > > See the documentation about "Default Actions" > (http://www.shorewall.net/Actions.html#Default). > > The standard 'Drop' action accepts the ICMP types that are important for correct > operation. If you want to accept all ICMP types, you can create your own version > of action.Drop in /etc/shorewall/ that does what you want. Then you can simply > use DROP policies. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
