I did as you suggested and upgraded to the latest version in repository linked from the download page.
shorewall, shorewall-core, shorewall-init: 4.5.5.3-1~bpo60+1 After upgrading I modified the the 'rtrules' file to: #SOURCE DEST PROVIDER PRIORITY lo - iPredator 11999 As there was an error with leaving both "SOURCE" and "DESTINATION" set to "-", despite the example I lifted it from. 1) I am able to apply the firewall configuration before connecting to OpenVPN, with the normal error: "WARNING: Interface tun0 is not usable -- Provider iPredator (2) not Started" 2) I am then able to connect to OpenVPN normally. 3) I can then re-apply the firewall configuration without error / warning. 4) I attempt to ping to verify my connection and all such packets are dropped 5) I then disconnect from OpenVPN and I get the error "connect: Network is unreachable" when attempting to ping / reconnect to OpenVPN 6) I then re-apply my firewall configuration 7) Ping's function normally and I can reconnect to OpenVPN (which functions normally) So, similar behavior before the upgrade, but I can no longer use the OpenVPN connection when the firewall is "fully applied". Attached please find a new dump, taken directly after step 5, as above. On 1/4/13, Tom Eastep <[email protected]> wrote: > On 01/04/2013 09:23 AM, f q wrote: >> I installed and configured shorewall-init (PRODUCTS="shorewall", >> IFUPDOWN=1, etc), in the "stable" repository (4.4.11.6-1). This had >> no effect on the process previously described. I assume a more recent >> version of shorewall / shorewall-init would help going forward. >> >> I'll be pursuing that, on another OS, as soon as I can get it up and >> running. >> >> On 1/3/13, Tom Eastep <[email protected]> wrote: >>> On 01/03/2013 12:51 PM, f q wrote: >>>> "If you used 'balance' for tun0 and 'fallback' for eth0, that wouldn't >>>> happen. Note that you must also set 'routefilter=0' on both interfaces >>>> in /etc/shorewall/interfaces, if you chose to take that approach." >>>> >>>> #providers >>>> >>>> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >>>> OPTIONS >>>> loc 1 1 - eth0 >>>> 192.168.0.1 track,fallback=1 >>>> iPredator 2 2 - tun0 - >>>> track,balance=2 >>>> >>>> #interfaces >>>> >>>> #ZONE INTERFACE BROADCAST OPTIONS >>>> net eth0 detect >>>> dhcp,tcpflags,nosmurfs,routefilter=0,logmartians,required >>>> vpn tun0 detect optional,routefilter=0 >>>> >>>> I completed the above steps, which caused some odd behavior: >>>> >>>> 1) When already connected to OpenVPN, the VPN functioned as expected >>>> 2) When disconnecting from the VPN, traffic was routed through eth0 >>>> through my default connection (seemingly ignoring all the work with >>>> providers / tcrules / etc) >>>> 3) When reconnecting to the OpenVPN my traffic continued through my >>>> default connection, ignoring the VPN entirely! >>>> 4) Disconnecting from the VPN, applying the firewall and reconnecting >>>> now allows no traffic to exit my firewall at all! >>>> 5) Disconnecting from the VPN when in state (4), will allow traffic, >>>> but then only through my default connection. >>>> >>>> Reverting to previous, semi-working configuration. >>> >>> You'll never get any of this to work right until you install >>> shorewall-init. But 4.5.11.6 Shorewall-init is pretty broken... > > Roberto Sanchez maintains a Squeeze repo that has Shorewall 4.5.5.x (the > version going into Wheezy). It is linked from the Shorewall Download page. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >
shorewall_dump.01.04.13.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
