Miguel wrote:
/etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL $FW net ACCEPT mgmnt all ACCEPT mpls all ACCEPT net all DROP info all all REJECT info #LAST LINE -- DO NOT REMOVE i can ping to the outside, so vlan179 is working fine: PING www.yahoo-ht3.akadns.net (69.147.114.210) 56(84) bytes of data.64 bytes from f1.www.vip.re3.yahoo.com (69.147.114.210): icmp_seq=1 ttl=54 time=57.3 msif i try to ping the vlan152 or eth1 subnet, i got this error From 10.2.64.206 icmp_seq=1 Destination Host Unreachable From 10.215.0.1 icmp_seq=1 Destination Host Unreachable and in /var/log/messagesFeb 11 15:25:21 cacti kernel: [ 1399.457252] Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.2.64.206 DST=10.2.64.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=35998 DPT=161 LEN=50if i run shorewall clear, i can reach all subnets, any hints?
Your $FW -> mgmnt and $FW -> mpls policies default to the all -> all policy of REJECT. Since you have no specific rules allowing connections from the firewall to those zones, those connections are being rejected.
This follows basic Shorewall principles and has nothing to do with VLANs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
