________________________________ From: Tom Eastep <teas...@shorewall.net> > > Unfortunately, the FW2 configuration has the same shortcoming as did FW1 > - namely, that there are DROP policies that don't log. So it isn't > possible to see what is being dropped and I was unable to come to any > conclusion...
Hi, I set up a trimmed-down shorewall system today in order to find the root cause of my woes. I'm attaching 3 files (on Google Drive, actually): - shorewall dump while pinging 8.8.8.8, 10.215.144.92, 172.16.0.2, 10.215.144.91 from "lan" host with IP addr. 10.215.144.48 - kernel messages as the shorewall dump did NOT grab the full data for some reason (ie. the dump was done at 07:24 with counters reset at 07:22, but oddly it did not include syslog messages before 07:24) - the full shorewall config files (in the hope you see something I oversaw) https://drive.google.com/file/d/0B-tpkY1LkI67bUJOU2Y1dTFrUWM/view?usp=sharing https://drive.google.com/file/d/0B-tpkY1LkI67MTRYeVRMTlBXZGc/view?usp=sharing https://drive.google.com/file/d/0B-tpkY1LkI67OXpxQkZzM2RvbFU/view?usp=sharing I'm interested in lan-wan communication for now. $FW-wan is OK. lan-wan does not work. All the pings from 10.215.144.48 listed above FAIL except to 10.215.144.91 which is one of the IP addresses of this shorewall system ($FW). I'm logging everything, even ACCEPTs, but I don't see anything being dropped regarding the failing pings. I only see "lan-wan ACCEPT" messages for my ICMP tests. I don't think the issue is with the other shorewall gateway at 10.215.144.92 because replacing this failing shorewall system with the old one restores all traffic as expected. However, if you require a dump of the other gateway as well then please let me know. I'm also sending a link to the dump taken on the "old" shorewall system while doing the same ping tests: https://drive.google.com/file/d/0B-tpkY1LkI67QU00M29VbWRFb0k/view?usp=sharing Of course, the "rules" are more comlpex than on the failing system, but some settings are identical (eg. interfaces). So now I'm trying to find the diffs between the old/working shorewall system and the new/failing one (you might not see all ACCEPT kernel messages for the same reason described previously, but all's working with the old FW). Any ideas? Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
