________________________________ From: Tom Eastep <[email protected]> > > Doesn't look to me as though any of those rules would match the pings
> that don't work. And there are packets beging silently dropped because
> you have not specified any logging for your loc->net* policies.
I had these rules when I did that dump:
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net1:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net2:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net3:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net4:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:172.16.0.1 $FW all
ACCEPT loc:172.16.0.1 net1 all
ACCEPT loc:172.16.0.1 net2 all
ACCEPT loc:172.16.0.1 net3 all
If I take into consideration just the first failing ping (from host with IP
addr. 172.16.0.1), I was expecting it to work because of this in all loc-net*
chains:
ACCEPT all -- * * 172.16.0.1 0.0.0.0/0
In any case, in order to avoid confusion, and get more debugging information I
followed your suggestion:
# grep ^loc /SAMBA/gateway_extra/policy.FHM
loc net1 DROP info
loc net2 DROP info
loc net3 DROP info
loc net4 DROP info
loc dmz DROP info
loc $FW DROP info
loc all DROP info
I also added this rule at the very top of the rules file in order to make sure
I get a theoretical match:
ACCEPT:info loc:172.16.0.1,10.215.144.92,10.215.144.7
net1,net2,net3.net4 all
I restarted/reset shorewall, but the ping tests still fail. I'm unable to find
anything useful in /var/log.
I can still confirm that a tcpdump on the "loc" interface shows ICMP requests
coming in, but no replies.
I'm attaching another dump taken while performing a ping to 8.8.8.8 from two
hosts in the "loc" zone with IP addresses 172.16.0.1 and 10.215.144.7.
Note that I'm posting 2 consecutive messages to this list so I can pass the
message size limit. You just need to do this to get the full dump:
# cat xaa xab > swdump.gz
Finally, since I'm a bit desperate now... ;-) I'm also attaching a quick "diff"
of most of the shorewall config files between shorewall host "a" that's
"working OK" and shorewall host "b" that's failing.
Host a is running:
Linux 4.8.17-hardened-r2
shorewall version 5.0.15.6
Host b is running:
Linux 4.9.16-gentoo
shorewall version 5.1.4.4
shorewall.conf is mostly default, except for the LOG path and the dynamic
blacklist.
Vieri
ab.diff.gz
Description: application/gzip
xaa
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
