Arrg, sorry: #ZONE TYPE OPTIONS IN OUT sfn ipsec
Bill On 11/28/2016 8:07 AM, Bill Shirley wrote: > Try type ipsec in your zones file: > #ZONE TYPE OPTIONS IN OUT > sfn ipv4 > > It generates: > 0 0 fw-sfn all -- * * 0.0.0.0/0 > 192.168.4.0/24 policy match dir out pol ipsec > > Bill > > > On 11/28/2016 4:38 AM, John Depp wrote: >> Hello everyone! >> I'm using Debian, Shorewall and Stongswan on my linux routers. >> It seems Shorewall don't allow input of ESP packets, formed by ipsec >> initiated by Strongswan. >> >> I have the following line tunnels: >> >> #TYPE ZONE GATEWAY GATEWAY_ZONE >> ipsec net xx.xx.xx.51 >> >> it compiles to the following iptables rules: >> >> ... >> Chain INPUT (policy DROP 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> 107 28045 eth0_in all -- eth0 * 0.0.0.0/0 <http://0.0.0.0/0> >> 0.0.0.0/0 <http://0.0.0.0/0> >> ... >> Chain eth0_in (1 references) >> pkts bytes target prot opt in out source destination >> ... >> 101 27583 net-fw all -- * * 0.0.0.0/0 <http://0.0.0.0/0> >> 0.0.0.0/0 <http://0.0.0.0/0> policy match dir >> in pol none >> ... >> Chain net-fw (1 references) >> pkts bytes target prot opt in out source destination >> 12 2213 ACCEPT all -- * * 0.0.0.0/0 <http://0.0.0.0/0> >> 0.0.0.0/0 <http://0.0.0.0/0> ctstate >> RELATED,ESTABLISHED >> 0 0 ACCEPT esp -- * * xx.xx.xx.51 0.0.0.0/0 >> <http://0.0.0.0/0> >> 0 0 ACCEPT udp -- * * xx.xx.xx.51 0.0.0.0/0 >> <http://0.0.0.0/0> udp dpt:500 ctstate NEW,UNTRACKED >> >> And the packets never hit the net-fw chain, rejected by policy: >> Nov 28 12:24:47 gw kernel: [9640691.231945] Shorewall:INPUT:REJECT:IN=eth0 >> OUT= MAC=00: SRC=xx.xx.xx.51 DST=<router> LEN=86 >> TOS=0x00 PREC=0x00 TTL=62 ID=61247 PROTO=4 >> >> In the case I use the "leftfirewall=yes" option in Strongswan config, which >> inserts it's native iptables rules, it inserts the >> following: >> Chain INPUT (policy DROP 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> ... >> 0 0 ACCEPT 4 -- eth0 * xx.xx.xx.51 <router> >> policy match dir in pol ipsec reqid 2 proto 50 >> >> So I assume there should be no "policy match dir in pol none" option in >> eth0_in chain to correctly process ipsec packets. >> Similarly, if I add some rules like >> ACCEPT net:xx.xx.xx.0/16 $FW ah >> ACCEPT net:xx.xx.xx.0/16 $FW esp >> packets never hit those rules too as they are compiled into net-fw chain. >> >> So, is there any option to turn off "policy match dir in pol none" option in >> eth0_in chain or am I completely mistaken of the >> issue? >> >> Thanks in advance! >> >> >> ------------------------------------------------------------------------------ >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users