-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/29/2016 01:24 PM, Thomas Schneider wrote: > Hello Tom, > > I have no doubts in your analysis of the dump. > > However, I have no idea about the right conclusions. You're > pointing to some rules stating "no rule matches the traffic". This > confirms my assumption, but I'm not sure what to configure. > > These are the current rules for ping/traceroute: ## Drop ping > access from net Ping(DROP) net all > > ## Permit ping access Ping(ACCEPT) $FW all > Ping(ACCEPT) loc,fb all > > ## Permit ICMP access ACCEPT $FW all > icmp ACCEPT loc,fb all icmp > > (There are no more rules related to ping/icmp.) I would like to > ping/traceroute from fb to loc and vice versa, but then /shorewall > check/ reports an error (ERROR: Rules may not override a NONE > policy /usr/share/shorewall/macro.Ping (line 9)). > > Now, here are my findings: Source: $FW (=pc4-svp), Dest: any client > in fb ping works, traceroute fails root@pc4-svp:/etc/shorewall# > ping 192.168.178.121 PING 192.168.178.121 (192.168.178.121) 56(84) > bytes of data. 64 bytes from 192.168.178.121: icmp_seq=1 ttl=128 > time=0.239 ms 64 bytes from 192.168.178.121: icmp_seq=2 ttl=128 > time=0.114 ms 64 bytes from 192.168.178.121: icmp_seq=3 ttl=128 > time=0.169 ms ^C --- 192.168.1.121 ping statistics --- 3 packets > transmitted, 3 received, 0% packet loss, time 1998ms rtt > min/avg/max/mdev = 0.114/0.174/0.239/0.051 ms > > root@pc4-svp:/etc/shorewall# traceroute 192.168.178.121 traceroute > to 192.168.178.121 (192.168.178.121), 30 hops max, 60 byte packets > 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 *^C > > Source: any client in fb Dest: any client in loc ping fails, > traceroute fails thomas@pc8-nb:~$ sudo ping 10.0.0.253 PING > 10.0.0.253 (10.0.0.253) 56(84) bytes of data. From 192.168.178.1: > icmp_seq=244 Redirect Host(New nexthop: 192.168.178.10) From > 192.168.178.1: icmp_seq=544 Redirect Host(New nexthop: > 192.168.178.10) From 192.168.178.1: icmp_seq=844 Redirect Host(New > nexthop: 192.168.178.10) ^C --- 10.0.0.253 ping statistics --- 1129 > packets transmitted, 0 received, 100% packet loss, time 1128038ms > > thomas@pc8-nb:~$ sudo traceroute 10.0.0.253 traceroute to > 10.0.0.253 (10.0.0.253), 30 hops max, 60 byte packets 1 > pc4-svp.whl.meilocal.net (192.168.178.10) 0.221 ms 0.206 ms > 0.197 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * > * * 9 * * * 10 * * * 11 * * * 12 * *^C >
Please forward (privately) a tarball of your /etc/shorewall directory. Thanks, - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJXdDR9AAoJEJbms/JCOk0QfmkP/1gGEYVndXhzN4xKoOKK+Kq8 L9TyKswxEDqwF2yDa9eqJCpzLViVd0D+8Yys4PGSFMtxH57SGaXWrQLjdZvQlQA6 bz2CyXv3cWEZQdXKeEYUaEoIRM/DD3Z0iP4FFmx0EutvUHx7lPG1KtrX9yKZ01pb wGvm4/Au7InHSZXirQQJJM06W7oKOU7E/EXGvgDENFXVAjm1HO27BTtt2rc6wUD4 hJU++qTjxDNsXtBlb0UIs2p1zrzQ4XH0xcUUPnp0x70tJZ5fWYYWwv24hahPEJgS IYqmnBBzfZxj2w4QUSG13PbuOvLHb4S7zTCbqS9iZTn6pKOGXwEsdjsqimoSTddl EtUBuxWxlQ5cfsJXYNEcII9LQQiZNd6uagWjsm8UHYFz3bV6TF2oTO7C3PTDpXLW eXxJcDo+29jmEX9OgwibPokgYpEdQ3vWQlXvZJWtZikP2mdFSlC/IRa5rJx6p1Q1 0whBNakHM4q41j42SfUU4wYBDNt+MvZ7hAE8rnaq+U95v4QGd6/IHJfcNGYrrlaH SKxhXRQ16cll+0ikHpBmPcYLrq1EWmkHtEPPPTmR91gVFEJtp6nyv5bVpG/xOUzg nIkOImSJP4pXQdRpAQhjfscbNzZf0WtyWX+N+1ZkV4Pl1g2rJsAJnZJBNJRj025F TeJ/GgW6hYdEjwxos6ej =UekS -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
