Hi, Please let me know if the combination to allow port 9100 and drop the rest is ever possible with Strongswan?
Thanks Mahendra On Wed, Feb 17, 2016 at 9:12 AM, Mahendra SP <[email protected]> wrote: > Hi Noel, > > Thank you for the quick response. > > There are two hosts namely 192.168.1.6 and 192.168.1.8. > > Here is what I want to do: > 1. Block all traffic over TCP from 192.168.1.6 to TCP port 9100 on > 192.168.1.8 > 2. Drop the rest of the traffic between these two systems. > > Sorry for not having correct parameters. Please find below the correct one. > > conn allow-9100 > leftsubnet=192.168.1.6[6/%any] > rightsubnet=192.168.1.8[6/9100] > leftfirewall=yes > type=passthrough > auto=route > > conn drop-rest > leftsubnet=192.168.1.6 > rightsubnet=192.168.1.8 > leftfirewall=yes > type=drop > auto=route > > Is it possible to achieve the above mentioned items 1 and 2 ? With the > above settings, I was expecting connections to port 9100 would be allowed > and rest is dropped. What I observe is, all traffic including 9100 is > dropped. Is there some priority that we can set ? > > Thanks > Mahendra > > > > > On Tue, Feb 16, 2016 at 11:23 PM, Noel Kuntze <[email protected]> > wrote: > >> On 16.02.2016 13:43, Mahendra SP wrote: >> > conn allow-9100 >> > leftsubnet=192.168.1.6[6/%any] >> > rightsubnet=192.168.1.8[6/9100] >> > leftfirewall=yes >> > type=allow >> > auto=route >> "allow" is not a valid setting for "type". >> >> >> > conn drop-rest >> > leftsubnet=192.168.1.6 >> > rightsubnet=192.168.1.8 >> > leftfirewall=yes >> > type=passthrough >> > auto=route >> What's the purpose of that? It just tells XFRM to not do any processing on >> packets that match those left- and rightsubnet settings. >> >> When I look at all your settings, they seem to contradict each other. >> Please do a minimal setup. I think the error is in your overlaping subnets >> with all those different types. >> >> >> -- >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> >> >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
