Tom Eastep wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom Eastep wrote:
Keith Mitchell wrote:
Sorry. That should read "Office A Firewall Host" and "Office B Firewall
Host"
If I do a "ping -I eth1 10.254.0.x" (any address on that subnet) from
the Office A Firewall Host (source IP 10.253.0.1), I get no return and
nothing in the syslogs. A ping -I eth1 10.253.0.254 gets a return.
You are marking all traffic originating on either firewall with mark
value 0x200.
- From your rules:
10001: from all fwmark 0x200 lookup SKY
And:
Table SKY:
66.146.173.97 dev eth2 scope link src 66.146.173.98
default via 66.146.173.97 dev eth2 src 66.146.173.98
Now:
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
198K 42M eth2_out all -- * eth2 0.0.0.0/0
0.0.0.0/0
You have no SP for traffic from 10.253.0.1->10.254.0.* -- so:
Chain eth2_out (1 references)
pkts bytes target prot opt in out source
destination
196K 42M fw2net all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none
Which accepts ping.
But now:
Nat Table:
Chain eth2_masq (1 references)
pkts bytes target prot opt in out source
destination
32532 2407K SNAT all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir out pol none to:66.146.173.98
So these pings will be sent with source 66.146.173.98.
There is no IPSEC SP for 66.146.173.98->10.254.0.*
On the othr end:
Sorry -- I was somehow thinking your were pinging a host in the Office B
local net. But that doesn't matter, I don't believe, since you are
sending packets over the internet with an RFC 1918 destination IP address.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkraKvMACgkQO/MAbZfjDLKDcwCfUYwDRFgV9RIrWqPdTs1TnRSZ
8bQAoIrYj6UXCYHWq31hbL1T1gdluQsK
=G7C4
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
I think I get it. So for starters, I need to take the firewall rules
out of the tcrules and route_rules files to make sure the firewall(s)
can direct traffic appropriately.
(remove the LO lines from the route_rules and / or the "512 $FW"
lines from the tcrules).
I'm assuming that should clear up the routing issue also, and then I
just have to setup a policy or ruleset to allow the tlan (10.253.0.0) to
ping into the private net(s) if desired, otherwise the NAT will be
working so packets should flow correctly.
--
Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
