Re: [Shorewall-users] Shorewall 5.2.3.2 - Icinga client doesn't get a connection to Icinga master

Tue, 15 Oct 2019 09:37:04 -0700 

On 10/14/19 11:43 PM, Andreas Günther wrote:
> Good morning,
>
> here is a default rule for SSH connections included in /usr/share/doc/
> shorewall/examples/two-interfaces/rules:
>
> # 
> #       Accept SSH connections from the local network for administration 
> # 
> SSH(ACCEPT)     loc             $FW
>
> This should realize the SSH connections from loc to the firewall. So I think, 
> my icinga2 port is open on the host (192.168.1.1) like the ssh port too, and 
> I 
> could build the same rule for 5665:
>
> ICINGA(ACCEPT)     loc              $FW
>
> and for the other direction
>
> ICINGA(ACCEPT)     $FW              loc
>
> But it doesn't run lihe desired.

According to the Shorewall Dump that you submitted, the firewall is
*not* blocking the connection:

Chain loc-fw (1 references)
...
1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0       
     tcp dpt:5665 /* ICINGA */

This indicates that the SYN packet sent by the client was accepted by
the firewall's ruleset. Note that the loc-fw display in  your previous
post, three connections had been accepted.

The server is listening on this port:

Netid  State   Recv-Q   Send-Q     Local Address:Port       Peer Address:Port  
...
tcp    LISTEN  0        128              0.0.0.0:5665            0.0.0.0:*      
 users:(("icinga2",pid=80706,fd=18))         

so I see no reason why the connection would not be successful.

If you temporarily execute 'shorewall clear', does the connection
succeed (be sure to 'shorewall start' after the test)?

> My host is with its two interfaces vmbr0 and 
> vmbr1 part of both networks net and loc, and named as $FW. I don't understand 
> this behaviour.
>
The host is *not* part of net and loc -- it is it's own zone named 'fw',
which is what $FW expands to. This is explained at
http://www.shorewall.org/Introduction.html.

-Tom

-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't 
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to