HI,
First off my apoligies if I misunderstood your question!:)
-- Is your dns server configured to accept dns request from the vpn
clients?
-- Are you masquerading the vpn subnet(s)?
-- Are you allowing traffic to the dns server and to the internet??
-Matt
On 24 Jul 2014 at 22:28, Juan Pablo
>> /rules
>> DNAT net vpn1:192.168.1.2 tcp 25 - S.S.S.S
>> ACCEPTnet vpn1:192.168.1.2 tcp 25
You have both DNAT and ACCEPT for the same zone/port - DROP the DNAT. I'm not
an expert by any stretch of the imagination I would think the following would
work:
On 7/24/2014 8:26 PM, sur...@emailengine.net wrote:
>
>> In the mean time, I *think* your DNAT rule should be:
>>
>> DNAT net vpn1:192.168.1.2tcp 25 S.S.S.S
>
> Still with
>
> SERVER (shorewall)
> eth0: S.S.S.S
> 192.168.0.1
> tu
On 7/24/2014 8:19 PM, Raimonds Cicans wrote:
> 1) Forget to mention:
> /etc/shorewall/shorewall.conf: FASTACCEPT=Yes
>
> 2) Tested following variant:
> /etc/shorewall/rules: DNATinetdmz:somehost:21tcp 21
>
> It works without problem.
>
> 3) AFAIK last thing done on the firewall, was
On Fri, Jul 25, 2014, at 07:40 AM, Tom Eastep wrote:
> ...
Watching that example of stepping through the flow was quite useful; Something
to study.
> The configuration on the SERVER is now correct and the issue is on the CLIENT.
OK
> What is the shorewall.conf setting for ROUTE_FILTER on the
I'm working on following & understanding the flow of packets across all of
*this*.
when I exec telnet from an external host, I see at CLIENT
tcpdump -i tun1
11:32:16.532625 IP E.E.E.E.54277 > 192.168.1.2.smtp: Flags [S], seq
1312623728, win 32768, options [mss 1308,nop,wscale 3,sackOK,nop
On 7/25/2014 11:44 AM, sur...@emailengine.net wrote:
> I'm working on following & understanding the flow of packets across all of
> *this*.
>
> when I exec telnet from an external host, I see at CLIENT
>
> tcpdump -i tun1
> 11:32:16.532625 IP E.E.E.E.54277 > 192.168.1.2.smtp: Flags [S], se
Version 4.6.2.2 is now available for download.
Problems Corrected:
1) The compiler now correctly detects the IPv6 "Header Match"
capability when LOAD_MODULES_ONLY=No.
2) The compiler now correctly detects the IPv6 "Ipset Match"
capability on systems running a 3.14 or later kernel.
3)
On 7/25/2014 12:31 PM, Tom Eastep wrote:
> On 7/25/2014 11:44 AM, sur...@emailengine.net wrote:
>> I'm working on following & understanding the flow of packets across all of
>> *this*.
>>
>> when I exec telnet from an external host, I see at CLIENT
>>
>> tcpdump -i tun1
>> 11:32:16.532625 IP
> From the dump:
>
> /proc/sys/net/ipv4/conf/all/rp_filter = 1
verifying at CLIENT
cat /proc/sys/net/ipv4/conf/all/rp_filter
1
> So *something* is setting that. Is there an entry for it in
> /etc/sysctl.conf?
checking
grep rp_filter /etc/sysctl.conf
net.ipv4.conf.all.rp_f
On 7/25/2014 12:58 PM, sur...@emailengine.net wrote:
>> From the dump:
>>
>> /proc/sys/net/ipv4/conf/all/rp_filter = 1
>
> verifying at CLIENT
>
> cat /proc/sys/net/ipv4/conf/all/rp_filter
> 1
>
>
>> So *something* is setting that. Is there an entry for it in
>> /etc/sysctl.conf?
at CLIENT checked
> /etc/shorewall/interfaces:
>
> vpn tun+optional,...
/interfaces
net EXT_IF
physical=eth0,tcpflags,nosmurfs,logmartians=1,sourceroute=0
lan INT_IFphysical=eth1,logmartians=1
vpn1 tun+ -
> /etc/shorewall/providers:
>
> You don't seem to have an ACCEPT rule for SMTP vpn1->lan.
added
ACCEPTvpn1lan:192.168.1.2tcp25,587
--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines
On 7/25/2014 1:21 PM, sur...@emailengine.net wrote:
> at CLIENT checked
>
>> /etc/shorewall/interfaces:
>>
>> vpn tun+optional,...
>
> /interfaces
> net EXT_IF
> physical=eth0,tcpflags,nosmurfs,logmartians=1,sourceroute=0
> lan INT_IFphysical=eth1,logmar
> Leave the COPY column empty ("-")
noting from providers.annotated
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONSCOPY
# ISP1 1 1main eth0 206.124.146.254
track,balance eth2
# ISP
On 7/25/2014 1:46 PM, sur...@emailengine.net wrote:
>> Leave the COPY column empty ("-")
>
> noting from providers.annotated
>
> # #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
> OPTIONSCOPY
> # ISP1 1 1main eth0 206.1
On Fri, Jul 25, 2014, at 01:52 PM, Tom Eastep wrote:
> If you can't get it sorted, please send another dump of the CLIENT; this
> time as a compressed attachment so I can load it into an editor.
I'll see if I can get anywhere, and if not, send the attachment.
I've verified that, at CLIENT, I'm st
On 7/25/2014 2:02 PM, sur...@emailengine.net wrote:
> On Fri, Jul 25, 2014, at 01:52 PM, Tom Eastep wrote:
>> If you can't get it sorted, please send another dump of the CLIENT; this
>> time as a compressed attachment so I can load it into an editor.
>
> I'll see if I can get anywhere, and if not,
> You will want to add 'optional' as an option for vpn1 -- otherwise,
> Shorewall won't start if the VPN is down.
I thought the optional was -- optional.
Added.
> I thought that the server was 192.168.1.2.
Yes. Typo. Fixed.
Still poking ...
--
Back to compile errors
/providers
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
isp 1- maineth0detect
balance -
vpn 2- maintun1detect
with
/zones
fw firewall
net ipv4
lan ipv4
vpn1ipv4
/interfaces
?FORMAT 2
#ZONE INTERFACE OPTIONS
net EXT_IF
physical=eth0,tcpflags
sorry, that was a test on a friend's machine.
same test, on mine, yields the same errors & fixes
--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free co
On 7/25/2014 4:15 PM, sur...@emailengine.net wrote:
> sorry, that was a test on a friend's machine.
>
> same test, on mine, yields the same errors & fixes
>
Looks correct.
-Tom
--
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his s
Still can't telnet thru :-/
at CLIENT, with
/zones
fwfirewall
net ipv4
lan ipv4
vpn1 ipv4
/interfaces
net EXT_IF
physical=eth0,tcpflags,nosmurfs,logmartians=1,sourc
On 7/25/2014 7:43 PM, sur...@emailengine.net wrote:
> Still can't telnet thru :-/
>
> at CLIENT, with
>
> /zones
> fwfirewall
> net ipv4
> lan ipv4
> vpn1 ipv4
>
> /interfaces
> net E
> The 'vpn' provider is not starting; what output does 'shorewall-lite
> restart' produce?
at CLIENT
checking state of tun1
ip addr ls tun1
12: tun1: mtu 1500
qdisc pfifo_fast state UP group default qlen 100
link/none
inet 10.0.0
On 7/25/2014 8:27 PM, sur...@emailengine.net wrote:
>> The 'vpn' provider is not starting; what output does 'shorewall-lite
>> restart' produce?
>
> at CLIENT
>
> checking state of tun1
>
> ip addr ls tun1
> 12: tun1: mtu 1500
> qdisc pfifo_fast state UP group default qlen
> Please change the vpn provider line to
>
> vpn2--tun1 10.0.0.1fallback-
changed
/providers
- vpn2--tun1detect fallback-
+ vpn2--tun110.0.0.1fallback-
recompiled
still
Strange... First answer disappeared. Second try.
On 25.07.2014 18:24, Tom Eastep wrote:
> What is your setting for AUTOHELPERS in shorewall.conf?
Default: AUTOHELPERS=Yes
Raimonds Cicans
--
Want fast and easy access to
29 matches
Mail list logo
