-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: > Keith Mitchell wrote: > >>> >> Sorry. That should read "Office A Firewall Host" and "Office B Firewall >> Host" > >> If I do a "ping -I eth1 10.254.0.x" (any address on that subnet) from >> the Office A Firewall Host (source IP 10.253.0.1), I get no return and >> nothing in the syslogs. A ping -I eth1 10.253.0.254 gets a return. > > You are marking all traffic originating on either firewall with mark > value 0x200. > > - From your rules: > > 10001: from all fwmark 0x200 lookup SKY > > And: > > Table SKY: > > 66.146.173.97 dev eth2 scope link src 66.146.173.98 > default via 66.146.173.97 dev eth2 src 66.146.173.98 > > Now: > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 198K 42M eth2_out all -- * eth2 0.0.0.0/0 > 0.0.0.0/0 > > You have no SP for traffic from 10.253.0.1->10.254.0.* -- so: > > Chain eth2_out (1 references) > pkts bytes target prot opt in out source > destination > 196K 42M fw2net all -- * * 0.0.0.0/0 > 0.0.0.0/0 policy match dir out pol none > > Which accepts ping. > > But now: > > Nat Table: > > Chain eth2_masq (1 references) > pkts bytes target prot opt in out source > destination > 32532 2407K SNAT all -- * * 0.0.0.0/0 > 0.0.0.0/0 policy match dir out pol none to:66.146.173.98 > > So these pings will be sent with source 66.146.173.98.
There is no IPSEC SP for 66.146.173.98->10.254.0.* > > On the othr end: Sorry -- I was somehow thinking your were pinging a host in the Office B local net. But that doesn't matter, I don't believe, since you are sending packets over the internet with an RFC 1918 destination IP address. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkraKvMACgkQO/MAbZfjDLKDcwCfUYwDRFgV9RIrWqPdTs1TnRSZ 8bQAoIrYj6UXCYHWq31hbL1T1gdluQsK =G7C4 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users