On 7/30/2014 11:54 AM, Georg Bixa wrote: > Am 2014-07-30 um 17:29 schrieb Tom Eastep: >> On 7/30/2014 5:16 AM, Georg Bixa wrote: >>>> Hello! I am using shorewall for some years now, but i ran into trouble >>>> with the following multi VLAN setup: >>>> >>>> The network had two VLANs (vlan21 and vlan22) which are masqueraded by >>>> the firewall to a public subnet. vlan22 was running fine, but pakets on >>>> vlan21 did not get an answer. >>>> I setup another vlan (vlan23) to test so parameters, but that shut >>>> vlan22 down. Now vlan23 is working but vlan21 and vlan22 are not. >>>> >>>> I did some tcpdump and found out that the packets are correctly >>>> masqueraded and sent out but the response is not forwarded with the >>>> following errors: >>>> >>>> Jul 30 12:26:33 viegw kernel: [99036.969653] >>>> Shorewall:FORWARD:REJECT:IN=ppp0 OUT=vlan21 MAC= SRC=85.25. >>>> 182.38 DST=192.168.21.2 LEN=84 TOS=0x00 PREC=0x00 TTL=49 ID=31228 >>>> PROTO=ICMP TYPE=0 CODE=0 ID=2970 SEQ=55 >>>> >>>> Jul 30 12:26:34 viegw kernel: [99037.160452] >>>> Shorewall:FORWARD:REJECT:IN=ppp0 OUT=vlan22 MAC= SRC=85.25. >>>> 182.36 DST=192.168.22.2 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=36303 >>>> PROTO=ICMP TYPE=0 CODE=0 ID=2964 SEQ=59 >>>> >>>> I have checked routing and config files but did not come up with a >>>> solution for days. >>>> Any help would be much appreciated! >>>> (i have attached a shorewall dump.) >> What is the net->ene policy? It looks like NONE. >> >> -Tom > > You are absolutely right! I thought this was covered with the "net all > DROP" policy, but setting it explicit solved the problem. > > Thank you very much! And best wishes from Austria!
Thank you. I would like to understand why this happened. Would you be willing to send me your /etc/shorewall contents so that I could try to reproduce the problem? If so, please: a) shorewall show -f capabilities > /etc/shorewall/capabilities b) tar up the contents of /etc/shorewall c) rm /etc/shorewall/capabilities d) Send the tarball to me privately. While I'm no longer producing patches for Shorewall 4.4, I would like to be sure that the problem isn't present in the latest 4.5 and 4.6 releases. Thanks! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
