Re: [Shorewall-users] shorewall + openvpn question -- ping rules are there, but still can't ping lan-to-lan

Tue, 27 Jan 2015 17:39:04 -0800 

Hello Tom

On Tue, Jan 27, 2015, at 02:43 PM, Tom Eastep wrote:
> Then please post the output of "shorewall compile -e ." back on the
> admin system.

I took that as my queue to really start paying attention to what's changing and 
not.

EVERY time I compile, there's no error on the admin system.  It appears to push 
to the target.

Every time I compile & push, the timestamps on the files in the target's 
/var/lib/shorewall-lite/* are changing accordingly.

But, NOT every time there's a change in timestamp are the changes actually 
getting there.  Just an unmodified old version -- with a new timestamp.

Repeating the compile & push a number of times -- took as many as 10 times to 
get these ping fixes to take this last time -- seems to fix the problem.

That makes no sense to me.

As a test I cleaned the /var/lib/shorewall-lite folder on the target, and 
re-compiled & re-pushed on the admin.

Now -- so far -- it works each and every time.

I have now

shorewall show vpn2lan
Shorewall 4.6.6.1 Chain vpn2lan at ganymede.ZZZZZZ.ZZZ - Tue Jan 27 20:23:31 
EST 2015

Chain vpn2lan (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    2   168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         ctstate RELATED,ESTABLISHED /* @@@ /usr/share/shorewall/macro.Ping:13 
@@@ */
    1    84 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
         icmptype 8 /* @@@ /usr/share/shorewall/macro.Ping:13 @@@ */
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         /* @@@ /etc/shorewall/ganymede.ZZZZZZ.ZZZ/IPv4/policy:16 @@@ */
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         /* @@@ /etc/shorewall/ganymede.ZZZZZZ.ZZZ/IPv4/policy:16 @@@ */ LOG 
flags 0 level 6 prefix "Shorewall:vpn2lan:REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        [goto]  /* @@@ /etc/shorewall/ganymede.ZZZZZZ.ZZZ/IPv4/policy:16 @@@ */

And I can ping 

        SVR1
                ping 192.168.2.7

like I'd intended in the first place.

I've no idea what in the target dir would prevent updates randomnly, and that 
would then go away with a clean target dir.

Rog

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to