Apologies, I test my connections by doing a "ping 8.8.8.8" (Google DNS); So:
source IP -> 192.168.0.38 (my VPN would be down at this point, after step 7) dest IP -> 8.8.8.8 protocol -> ICMP port -> NA I attempt to start a ping with the OpenVPN up (step 6), to verify they're going through the VPN (a sort of rough test that saves me from having to do 'traceroute' to verify the path explicitly, the ping differences through the VPN and my local connection varry by 100's of milliseconds), then I attempt to disconnect the VPN and monitor the behavior of the ping. If it times out, then the shorewall setup is working as expected (no traffic traversing my local connection "in the clear"), if not and it reverts to traversing my local connection (checking the ping times as above), then I know it's not working as I hoped it would. On 1/5/13, Tom Eastep <[email protected]> wrote: > On 01/05/2013 02:40 PM, f q wrote: >> Also, I think you want USE_DEFAULT_RT=Yes. I don't see how >> USE_DEFAULT_RT=No can possiblly work here, since you have to be able to >> route between the interfaces and both are provider interfaces. >> >> 1) I made the changes as you requested, and set "USE_DEFAULT_RT=Yes", >> in /etc/shorewall/shorewall.conf. >> 2) I issued a /sbin/shorewall restart to re-read the configuration >> file (I'm not sure this is entirely required, but I wanted to be sure >> the new changes were being reflected in the current running >> configuration) >> 3) Applied the configuration for the firewall, normal warnings: >> Adding Providers... >> WARNING: Interface tun0 is not usable -- Provider iPredator (2) not >> Started >> WARNING: No Default route added (all 'balance' providers are down) >> NOTICE: Default route restored >> 4) Connected to OpenVPN >> 5) Attempted to re-apply the firewall configuration, as before (no >> errors) >> 6) Attempted pings to verify connection (they traversed the VPN >> correctly) >> 7) Disconnected from the VPN, traffic then traversed my default >> connection incorrectly. > > Come on -- you have to be specific. Exactly what connection did you > attempt that worked when you didn't believe that it should? Give the > source iP address, the destination IP address, protocol and port (if > appropriate). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
