Scott Ruckh wrote: > This is what you said Tom Eastep >> Tom Eastep wrote: >>> Scott Ruckh wrote: >>>> This is what you said Tom Eastep >>>>> Scott Ruckh wrote: >>>>>> If a full shorewall report is needed, please let me know >>>>> A full report is needed if you would like me to look at your problem. >>>>> >>>>> -Tom >>>>> -- >>>> Ok, thanks. Attached is compressed output from a shorewall dump >>>> (unmodified). >>>> >>>> I believe the details from the original message explain the problem. A >>>> VPN client (openvpn), appears to have difficulty talking to devices on >>>> the >>>> openvpn subnet including DNS queries. >> Also, this dump was captured when there was no VPN client even connected. >> So >> when we see the 'all2all' message, we will still be guessing about what >> the >> actual IP configuration on your firewall is at the time of these failures. >> > Attached is a new dump file while VPN client was connected. The VPN > client attempted to resolve name from server connected to protected LAN > and ping 172.16.99.1.
I don't know why you are surpised about the pings -- you aren't allowing
ping from road->fw. And if I'm reading your log database correctly, you
haven't had a DNS packet logged from 172.16.99.10 since 6/23 but you had one
accepted since the first dump according to the contents of the road2fw chain
in the dump:
Chain road2fw (1 references)
pkts bytes target prot opt in out source
destination
88 8018 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1 67 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
The packet counter in the first dump was zero.
Are you *sure* that you're still having a DNS problem?
-Tom
PS -- and the last dump still doesn't show any VPN client being connected -
the only tun interface shown in the dump is tun0.
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
