Re: [Shorewall-users] openvpn restart fails with dual entry in conntrack and wrong sourceport

Mon, 25 Nov 2013 07:16:56 -0800 

On 11/24/2013 8:22 AM, Axel Zöllich wrote:
>>> providers:
>>> tcom    1       0x100   -               ppp0            -
>>> balance=2       -
>>> netco   2       0x200   -               eth4            212.117.77.217
>>> balance=1       -
>>>
>>> tcrules:
>>> #alles über tcom:
>>> 0x100:P 0.0.0.0/0
>>> 0x100   $FW
>>> #Mebidia via netco
>>> 0x200:P -               212.117.77.202
>>> 0x200   $FW             212.117.77.202
>>> 0x200:P -               212.117.77.203
>>> 0x200   $FW             212.117.77.203
>>
>> What do you have in masq?
> 
> masq:
> eth1    -                       192.168.122.189         tcp     22
> ppp0    0.0.0.0/0               80.152.162.192
> eth4    0.0.0.0/0               212.117.77.218
> 
>>>> Also, is your OpenVPN setup Point-to-Point or client/server?
>>>
>>> Client/Server and the shorewall Box acts as server.
>>
>> Please send me the output of 'shorewall dump'.
> done
> 
>> Thanks,
> I'm the one who should thank you.
> 

Axel,

Your configuration has USE_DEFAULT_RT=Yes; from
http://www.shorewall.org/manpages/shorewall-interfaces.html

Note

There are certain cases where routefilter cannot be used on an interface:

If USE_DEFAULT_RT=Yes in shorewall.conf(5) and the interface is listed
in shorewall-providers(5). <==================

If there is an entry for the interface in shorewall-providers(5) that
doesn't specify the balance option.

If IPSEC is used to allow a road-warrior to have a local address, then
any interface through which the road-warrior might connect cannot
specify routefilter.

This is the cause of your martians.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to