On 08/01/2017 12:58 AM, Vieri Di Paola via Shorewall-users wrote: > > ________________________________ From: Tom Eastep > <teas...@shorewall.net> >> >> Unfortunately, the FW2 configuration has the same shortcoming as >> did FW1 - namely, that there are DROP policies that don't log. So >> it isn't possible to see what is being dropped and I was unable to >> come to any conclusion... > > > Hi, > > I set up a trimmed-down shorewall system today in order to find the > root cause of my woes. > > I'm attaching 3 files (on Google Drive, actually): > > - shorewall dump while pinging 8.8.8.8, 10.215.144.92, 172.16.0.2, > 10.215.144.91 from "lan" host with IP addr. 10.215.144.48 - kernel > messages as the shorewall dump did NOT grab the full data for some > reason (ie. the dump was done at 07:24 with counters reset at 07:22, > but oddly it did not include syslog messages before 07:24)
The dump always includes just the last 20 log messages. > - the full > shorewall config files (in the hope you see something I oversaw) > > https://drive.google.com/file/d/0B-tpkY1LkI67bUJOU2Y1dTFrUWM/view?usp=sharing > > https://drive.google.com/file/d/0B-tpkY1LkI67MTRYeVRMTlBXZGc > /view?usp=sharing > https://drive.google.com/file/d/0B-tpkY1LkI67OXpxQkZzM2RvbFU/view?usp=sharing > > I'm interested in lan-wan communication for now. $FW-wan is OK. > lan-wan does not work. All the pings from 10.215.144.48 listed above > FAIL except to 10.215.144.91 which is one of the IP addresses of this > shorewall system ($FW). > > I'm logging everything, even ACCEPTs, but I don't see anything being > dropped regarding the failing pings. I only see "lan-wan ACCEPT" > messages for my ICMP tests. Then the next step is to determine if the requests are actually being sent out of the WAN interface (enp6s0) -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users