On 09/06/2013 02:03 AM, Tom Robinson wrote: > > ... > The problem is when I switch over to VLANning on Shorewall and the > switch I get lots of 'FORWARD:REJECT' log messages when internal clients > try to access the internet and lots of 'INPUT:DROP' log messages when > the clients try to reach the natted address. > > Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth1 SRC=192.168.0.184 > DST=74.125.237.39 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21822 DF > PROTO=TCP SPT=56373 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 > > Shorewall:INPUT:DROP:IN=eth0 OUT= > MAC=00:0c:29:8b:5f:80:00:22:19:08:d5:13:08:00 SRC=192.168.0.93 > DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=7988 SEQ=1 > > Also, these packets look like they are coming in on eth0, not eth0.192 > as I would have expected. > > Are there any examples or more documentation on VLANning with Shorewall?
Hi Tom, When you see FORWARD or INPUT as a zone name like that, it means that the traffic is not matching any zones. It looks to me like 192.168.0.0/24 is still coming into eth0 untagged; your Shorewall configuration is assuming that all VLANs on that interface are tagged. If you provide some more details about your switch brand, model, and configuration, we can probably point you in the right direction. Regards, Paul ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
