hey, that helped a lot,
I set IMPLICIT_CONTINUE=No and then ran the connection tests again...
voila, everything made more sense
I now log vpn(tap0) -> $FW instead of the nonsensical lan(br0) -> $FW
Furthermore, the outgoing vpn paths now are actually separate:
$FW -> lan(br0)
only for: (vpn server->vpn client)
----or----
phys(eth0) -> vpn(tap0) only
for: (lan->vpn client)
Blocking one no longer blocks the other.
I have never recorded $FW -> vpn(tap0). I do get $FW -> lan(br0), but
that is outgoing, i.e. in actuality $FW -> phys(eth0)
Nonetheless its good to know that DNS queries are only one-way.
I also find it interesting that network broadcasts travel on both
possible bridge-port pathways:
phys(eth0) -> $FW
phy(eth0) -> vpn(tap0)
Out of curiosity, is it normal for a windows computer to be
continuously sending out UDP broadcasts, of this form ?
MAC=ff:ff:ff:ff:ff:ff:00:1d:7d:a4:2f:7a:08:00 SRC=192.168.1.2
DST=192.168.1.255 LEN=99 TOS=0x00 PREC=0x00 TTL=128 ID=13583 PROTO=UDP
SPT=62994 DPT=5353 LEN=79
Is it DNS or some-such ?
thanks for your guidance,
orbisvicis
Also, just for the record, I actually am serious about using Shorewall.
It is just that even though Shorewall/netfilter *does* run correctly,
I want to know why and how.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
