This is what you said Tom Eastep > Scott Ruckh wrote: >> This is what you said Tom Eastep >>> Tom Eastep wrote: >>>> Scott Ruckh wrote: >>>>> This is what you said Tom Eastep >>>>>> Scott Ruckh wrote: >>>>>>> If a full shorewall report is needed, please let me know >>>>>> A full report is needed if you would like me to look at your >>>>>> problem. >>>>>> >>>>>> -Tom >>>>>> -- >>>>> Ok, thanks. Attached is compressed output from a shorewall dump >>>>> (unmodified). >>>>> >>>>> I believe the details from the original message explain the problem. >>>>> A >>>>> VPN client (openvpn), appears to have difficulty talking to devices >>>>> on >>>>> the >>>>> openvpn subnet including DNS queries. >>> Also, this dump was captured when there was no VPN client even >>> connected. >>> So >>> when we see the 'all2all' message, we will still be guessing about what >>> the >>> actual IP configuration on your firewall is at the time of these >>> failures. >>> >> Attached is a new dump file while VPN client was connected. The VPN >> client attempted to resolve name from server connected to protected LAN >> and ping 172.16.99.1. > > I don't know why you are surpised about the pings -- you aren't allowing > ping from road->fw.
Yep, my mistake here. Shorewall just doing its job!! > And if I'm reading your log database correctly, you > haven't had a DNS packet logged from 172.16.99.10 since 6/23 but you had > one > accepted since the first dump according to the contents of the road2fw > chain Yeah I noticed the ACCEPTED DNS packet in the dump which I found odd because the DNS still returned no such host. Now that I see the ACCEPTED DNS packet from the shorewall dump I am beginning to question my DNS configuration. Possibly I have an ACL in place from that network??? > The packet counter in the first dump was zero. > > Are you *sure* that you're still having a DNS problem? I am definitely having a DNS problem. Whether it is a DNS problem because of shorewall is very questionable. You are correct that the DNS problem did not show up in the most current logs (from latest test) and logs only contain DNS entries from previous tests. > PS -- and the last dump still doesn't show any VPN client being connected > the only tun interface shown in the dump is tun0. VPN client was definitely connected. I produced the dump file by SSH'ing to firewall while being connected via VPN. In the dump you can see the ACCEPT SSH in the road2fw section. This, I assume, was from my SSH session. Thanks. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
