(sorry if I've send this message twice, I wasn't subscribed to mailing list prior to first one) Hi All,
I am using shorewall 4.4.26.1 with pptp server. As you probably know, pptp server creates separate pppX interface per client connection. I am able to establish client connections to server, but the problem is - I can't get routing between pptp clients to work. Example: I've connected two PC's with assigned IP's 10.0.0.2 and 10.0.0.3. When I am trying to ping one client from another - I am getting following messages: Aug 27 20:39:42 gserver kernel: [27639.468208] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=1 Aug 27 20:39:43 gserver kernel: [27640.469536] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=2 Aug 27 20:39:44 gserver kernel: [27641.470040] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=3 Aug 27 20:39:45 gserver kernel: [27642.470050] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=4 When I am changing all to all policy from default "all all REJECT" to "all all ACCEPT" - problem disappears, but I don't think, that allowing all to all traffic is good idea. >From what I understand, somehow my pptp network isn't mapped to vpn zone in case, where source and destination are pppX interfaces. (My goal is to have pptp clients fully separated from local network, but I need routing between them) Shorewall configuration: /etc/shorewall/interfaces: loc eth0 detect tcpflags,routefilter net eth1 detect tcpflags,dhcp,routefilter vpn ppp+ /etc/shorewall/zones: fw firewall loc ipv4 net ipv4 vpn ipv4 /etc/shorewall/tunnels: pptpserver loc 0.0.0.0/0 (ultimately I would like to use pptp server from physical "loc" and "net" zones simultaneously, but for testing, I am initiating pptp client connections from "loc" zone. Anyway, it seems, it doesn't matter, which zone I am defining here, I was defining "net" here, and was able to establish connection from "loc".) /etc/shorewall/policy: $FW loc ACCEPT $FW net ACCEPT $FW vpn ACCEPT $FW all REJECT info loc $FW ACCEPT loc net ACCEPT loc vpn REJECT info loc all REJECT info net $FW DROP net loc DROP net vpn DROP net all DROP vpn $FW ACCEPT vpn loc REJECT info vpn net ACCEPT vpn all REJECT info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info pptpd configuration: logwtmp localip 10.0.0.1 remoteip 10.0.0.2-254 My network setup is next: eth0 - local network 192.168.0.0/255.255.255.0 eth1 - internet provider, dhcp Shorewall dump is attached (dump was taken right after unsuccessful ping attempts between clients). (To configure pptp I was using http://www.shorewall.net/PPTP.htm howto, from what I see, this isn't maintained for a long time, but everything works except mentioned issue). Please let me know, what I am doing wrong, I have spend a lot of time trying to resolve my problem, but can't find appropriate info anywhere on the net, it seems that the only source of information for pptp+shorewall is unmaintained pptp howto, other sources just use configuration from there. -- Best Regards, Hennadiy Brych -- Best Regards, Hennadiy Brych
status.txt.bz2
Description: BZip2 compressed data
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
