Bulgrien, Kevin wrote: >> I have hosed myself. I didn't tar up the configuration once >> it started >> working, and I tried to reproduce the problem and now cannot >> get it back >> working, so indications are that the solution is a bit more >> than changing >> the LOG tag... The sad thing is I was very sure I had only >> changed/added >> log items and https rule to $FW all instead of $FW net when it started >> working. I have not yet figured out how to fix it, so >> anyway, if nothing >> else, it is an opportunity to log as a known issue. >> >> The attached configuration is broken. Failed attempts are >> >> SRC=192.168.128.7 DST=212.85.147.126 >> >> To try to make sure it wasn't a destination fault, after the >> failure, I >> did shorewall clear and retried. The https link succeeded, >> after which >> I immediately did a start. The https link attempt again >> fails even with >> the LOG rule not triggering the truncation warning. > > It turns out I did do something else to the configuration to > get it to work. I had added two more LOG entries to debug the > situation. It wasn't the HTTPSout log rule rename to 443out > that fixed it. Apparently what fixed it was adding two more > log rules. > > LOG:$LOG:NETout $FW net tcp - - - - > - > LOG:$LOG:NETin net all tcp - - - - > > > With the NETout and NETin rules added, the https configuration > works for either instance of the https log tag, but if I > comment out the the NETin log rule, things break again. > > This is very weird. Do you want the rules file too?
I understand what's wrong with the ruleset; it has not rule(s) for handling net->fw traffic. By adding the 'net->all' logging rule, you forced the net2fw chain to be created. I would like a tarball with the entire /etc/shorewall so that I can be sure that the problem is fixed in the current releases. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
