Hi, I'm attaching two shorewall dumps:
1) swdump_fw1 was taken from a shorewall firewall/router from which I tried to
ping 8.8.8.8 ($FW IP addr. 10.215.144.91/172.16.0.1)
2) swdump_fw2 was taken from another shorewall firewall/router acting as a
gateway to ISPs in which the ICMP traffic should have gone out and back in ($FW
IP addr. 10.215.144.92)
The shorewall firewall in "fw1" has not been touched in any way as it is in
production. Pings et al. were OK when I was using another Shorewall system for
"fw2". I started having issues when replacing "fw2", so obviously there must be
a mistake there.
The failing traffic during the dump was:
ping from 10.215.144.91 in fw1 (which is in "loc" zone for "fw2") to 8.8.8.8
(which is in any of net{1,2,3,4} zones in "fw2")
A tcpdump on the "loc" interface in "fw2" shows ICMP traffic coming from "fw1"
but only one-way.
Just in case you're wondering, placing back the "old fw2" shorewall firewall
makes the pings flow again (ie., there's no apparent problem accessing the
internet providers). I'd also like to point out that the "new fw2" was using
identical "providers" settings as the "old fw2", except for the fact that I
removed the routefilter option as I had USE_DEFAULT_RT=Yes in shorewall.conf.
BTW if I set the routefilter option on a provider's interface in "interfaces",
and USE_DEFAULT_RT is Yes then "shorewall check" complains with an error.
However, "shorewall start" does not complain and is really started (status is
started). Is this expected?
Thanks,
Vieri
dump_fw1.gz
Description: application/gzip
dump_fw2.gz
Description: application/gzip
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
