On 07/04/2017 03:27 AM, Vieri Di Paola via Shorewall-users wrote: > ________________________________ > From: Tom Eastep <[email protected]> >> >> Doesn't look to me as though any of those rules would match the pings > >> that don't work. And there are packets beging silently dropped because >> you have not specified any logging for your loc->net* policies. > > I had these rules when I did that dump: > > ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 > net1:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all > ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 > net2:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all > ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 > net3:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all > ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 > net4:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all > > ACCEPT loc:172.16.0.1 $FW all > ACCEPT loc:172.16.0.1 net1 all > ACCEPT loc:172.16.0.1 net2 all > ACCEPT loc:172.16.0.1 net3 all > > If I take into consideration just the first failing ping (from host with IP > addr. 172.16.0.1), I was expecting it to work because of this in all loc-net* > chains: > > ACCEPT all -- * * 172.16.0.1 0.0.0.0/0 > > In any case, in order to avoid confusion, and get more debugging information > I followed your suggestion: > > # grep ^loc /SAMBA/gateway_extra/policy.FHM > loc net1 DROP info > loc net2 DROP info > loc net3 DROP info > loc net4 DROP info > loc dmz DROP info > loc $FW DROP info > loc all DROP info > > I also added this rule at the very top of the rules file in order to make > sure I get a theoretical match: > > ACCEPT:info loc:172.16.0.1,10.215.144.92,10.215.144.7 > net1,net2,net3.net4 all > > I restarted/reset shorewall, but the ping tests still fail. I'm unable to > find anything useful in /var/log. > > I can still confirm that a tcpdump on the "loc" interface shows ICMP requests > coming in, but no replies. > > I'm attaching another dump taken while performing a ping to 8.8.8.8 from two > hosts in the "loc" zone with IP addresses 172.16.0.1 and 10.215.144.7. > Note that I'm posting 2 consecutive messages to this list so I can pass the > message size limit. You just need to do this to get the full dump: > # cat xaa xab > swdump.gz > > Finally, since I'm a bit desperate now... ;-) I'm also attaching a quick > "diff" of most of the shorewall config files between shorewall host "a" > that's "working OK" and shorewall host "b" that's failing. > > Host a is running: > Linux 4.8.17-hardened-r2 > shorewall version 5.0.15.6 > > Host b is running: > Linux 4.9.16-gentoo > shorewall version 5.1.4.4 > > shorewall.conf is mostly default, except for the LOG path and the dynamic > blacklist. >
Okay -- let's try this: a) set LOG_BACKEND=LOG in shorewall.conf b) shorewall reload c) shorewall iptrace -s 172.16.0.1 -p icmp d) Try the ping that fails from fw1 e) shorewall noiptrace -s 172.16.0.1 -p icmp d) forward the part of the shorewall log that captures the time covered by this test Note1: If the SOURCE IP of the ping packets that you see on the 'loc' interface is not 172.16.0.1, then change the [no]iptrace commands to use the correct address. Note2: If you have made ANY configuration changes to fw2 since the last dump you sent, please send another dump. Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
