Vieri is right, I did miss the "all all ACCEPT" with the message thread
truncation. Still... like Roger I would be a little more assured if
Sean put in an explicit "dock fw ACCEPT" and "fw dock ACCEPT" just for
testing. Particularly given the potential complication of a bridge
interface. I am also sort of wondering if packets might be going out
the "docker0" interface and back via "br" or vice-versa, which certainly
a tcpdump -i any would show (I'd suggest putting some constraints around
src, dst, and port or proto if you want to avoid a deluge of output).
Also, you can try the "diff" thing also with "ip route show", and with
"shorewall show routing", with shorewall running/clear, might give some
clues.
On 2025-03-21 10:42, Roger Hayter wrote:
ISTR ‘all’ doesn’t include the firewall unless you explicitly state it (or use
‘all+’ but I’m less sure of this). So doesn’t there need to be a policy of
‘dock’ to $FW ACCEPT?
--
Roger Hayter
On 21 Mar 2025, at 13:08, Vieri Di Paola <vieridipa...@gmail.com> wrote:
On Fri, Mar 21, 2025, 13:16 Winston Sorfleet <w...@romanus.ca> wrote:
Well, it would seem to me that's the problem - your VM is in the Docker
zone, and the host you want to access is in the Fw zone.
But OP has 'all all ACCEPT' as policy.
Try setting to 'all all ACCEPT INFO' and confirm in logs that you see the
traffic you need.
If outgoing ok but no reply, you might want to check routing tables.
Are the replies routed back as expected to the right interface?
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
