Scorpy wrote: >> Did you compress the attachment? The list has a maximum attachment size. > > Yes I did (ZIP format - 32KB). > I also checked and my hw router supports NAT-T which is enabled. > > >> That's very shaky logic. Have you LOOKED at the traffic with a traffic >> sniffer like tcpdump or Wireshark? > > Yes. I used tcpdump. > > >> Once more -- the packet that is getting blocked is coming from your >> internal network and it is addressed to your firewall!!! > >> So if your external and internal interfaces aren't bridged then the >> packet must be coming from the Zyxel in your local network. > >> Try this test: > >> a) from your Shorewall box, ping 192.168.1.180 (The Zyxel). >> b) type "arp -na". > >> Is 00:40:f4:b2:94:96 the MAC address associated with 192.168.1.180 in >> the output from 'arp'? > > No. I get different MAC. (00:19:CB:2C:DF:87)
Sorry -- I picked the wrong field out of the MAC address in the 'Shorewall' message. Here's from the message: IN=eth0 OUT= MAC=00:40:f4:b2:94:96:00:19:cb:2c:df:87:08:00 The incoming interface is eth0. There is no outgoing interface when means that the packet is addressed to the Shorewall box. The link layer address of the recipient is 00:40:f4:b2:94:96 which I assume is the MAC address of eth0. 00:19:cb:2c:df:87 is the MAC address of the sender (the ZyXEL). 08:00 is the ethernet frame type (IPv4). > So the MAC mentioned above must be from hw router from other side. > No. The ZyXEL behind your firewall is sending the packet that is getting rejected! The Shorewall-generated ruleset is rejecting the packet because the only connections that you allow from the local net to the firewall are ping and SSH (I just got the 'status' output). I don't know why your interior router is sending that packet. I can only guess that the two IPSEC endpoints are failing to recognize that NAT is taking place (is the router at the other end configured for NAT-T?) so they negotiate an SA without it. Once an SA is negotiated, ISAKMP (UDP 500) packets can be sent through the encrypted tunnel if the SA involves both endpoints. When your internal router gets the first of these (which has not undergone DNAT) it of course doesn't recognize that the packet is really meant for it so it does what routers do -- it forward the packet to its default gateway (your firewall). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
