Re: [Shorewall-users] Shorewall 5.2.3.2 - Icinga client doesn't get a connection to Icinga master

Fri, 18 Oct 2019 07:53:27 -0700 

Am Dienstag, 15. Oktober 2019, 19:23:57 CEST schrieb Andreas Günther:

> 
> That I have seen today when I was reading your documentation today.
> 
> When the firewall is correctly running in your view, so I have search the
> refused connection at Icinga. Apart from the connection behavior on the
> host, as just shown.

Hi,

my problem isn't still solved. I have checked Icinga2 on the host and tested 
the same configuration on another KVM-Guest 192.168.200.7 in a seperate 
network 192.168.200.0 without any firewall with a Icinga client 192.168.200.2. 
There aren't any connections problems.

On my Host Icinga is listening:
# netstat -tlpn | grep 5665
tcp        0      0 0.0.0.0:5665            0.0.0.0:*               LISTEN      
3490/icinga2
My rules für tcp/5665 looks like
0     0 ACCEPT     tcp  --  *      *       192.168.1.66         192.168.1.70 
tcp dpt:5665
1    60 ACCEPT     tcp  --  *      *       192.168.1.70         192.168.1.66    
     tcp dpt:5665
Now I try to get on the client the certificate from Icinga like
mx:~ # openssl s_client -connect 192.168.1.66:5665
140635865412736:error:0200206F:system library:connect:Connection 
refused:../crypto/bio/b_sock2.c:110:
140635865412736:error:2008A067:BIO routines:BIO_connect:connect 
error:../crypto/bio/b_sock2.c:111:
connect:errno=111
At the same time in the log of shorewall I see:
neckar:/etc/shorewall # shorewall show log | grep '192.168.1.66'
Oct 18 12:45:10 Shorewall:loc-fw:REJECT:IN=vmbr1 OUT= SRC=192.168.1.70 
DST=192.168.1.66 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44700 DF PROTO=TCP 
SPT=42882 DPT=5665 WINDOW=29200 RES=0x00 SYN URGP=0
The same from the host looks like
neckar:/etc/shorewall # openssl s_client -connect 192.168.1.66:5665
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = Icinga CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = Icinga CA
verify return:1
depth=0 CN = neckar.germany.com
verify return:1
...
I don't believe anymore on a problem at Icinga, it is something with 
shorewall. But I don't know what.
Could it have something to do with the options or missing options in 
interfaces?
#ZONE   INTERFACE       OPTIONS 
net     $NET_IF         dhcp,routefilter,tcpflags 
loc     $LOC_IF         routeback,bridge

Best regards 

Andreas

Attachment: shorewall_dump.txt.bz2
Description: application/bzip

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to