Philipp Rusch wrote: > Tom Eastep schrieb: >> Philipp Rusch wrote: >> >>> Hello Tom, >>> >>> I did what you suggested: >>> >>>>> a) Does everything work if you "shorewall clear" then run this command? >>>>> >>>>> iptables -A FORWARD -j TCPMSS --set-mss 1400 >>>>> >>>>> If it doesn't, then the problem has nothing to do with Shorewall >>>>> >>>>> >>> I get an error : "iptables: Unknown error 18446744073709551615" >>> >>> What does that mean ? Is my kernel broken ? >>> OK- googled for that error and found some discussion in >>> lists.netfilter.org ... >>> but, to be honest, I don't understand/know what to do know. >>> >>> >> >> It's an old bug that has been fixed for months that the "Enterprise" >> distributions are just now encountering. >> >> At any rate, the command I gave you was incomplete. It should have been: >> >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 >> >> Sorry for the confusion, >> >> -Tom >> > Tom, > > I did shorewall clear and then the command above. > Ipsec-tunnel was running all the time, I did ping from "inside" to > "remote" - no replies.
So FIX THAT FIRST! I'll tell you once more; if it doesn't work without Shorewall then it isn't going to work with Shorewall. Once you make it work without Shorewall, THEN if it won't work with Shorewall then we can help you. Not before. > But the packets don't go to the ipsec-zone "fil" they are handled in > all2all chain. > What can I do to further investigate that setup? Philipp -- I've told you what to do. My post had 3 steps, the third of which was c) If you can't solve the problem by looking at your log then please follow the instructions at http://www.shorewall.net/support.htm#Guidelines > BTW - this morning I had to do a complete restart with the firewall > system - a thing I > never had to do with shorewall so far. Did not have any error in > var/logs/firewall nor > in /var/logs/messages, system just did not accept any dns-request, which > are just > to be natted and routed to the ISP over there. - Strange - > Could this hickup be the result of my faulty ipsec-setup? How could we possibly know? All we have seen are snippets of your Shorewall configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
