-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/23/2017 4:52 PM, Colony.three via Shorewall-users wrote: > I don't understand this: > > [184624.505739] Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10959 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184627.506014] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10960 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184630.506281] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10961 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184633.506518] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10962 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184636.506136] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10963 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184639.506758] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10964 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [184642.505948] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101 > DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10965 > PROTO=UDP SPT=1024 DPT=500 LEN=388 [189767.312541] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46913 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189769.362835] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46914 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189772.174498] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46915 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189776.045296] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46916 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 [189781.611542] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44 > DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46917 DF > PROTO=UDP SPT=65138 DPT=500 LEN=712 > > > > > ... when policy has: $FW all REJECT info(uid) net > all DROP info(uid) vpn all DROP > info(uid) #local all REJECT info(uid) all all > REJECT info(uid) > > > ... and rules has: # VPN ACCEPT vpn $FW udp > 500,ipsec-nat-t - ACCEPT net $FW udp 500,ipsec-nat-t > - > > > In interfaces I only have: - lo ignore net > eth0 tcpflags,nosmurfs,sourceroute=0 > > ... with no vpn. Could this be the problem? > > And I don't understand why it is that in rules when I specify the > port as isakmp (rather than 500), it gets blocked? Same reason, > whatever it is? > >
Well, the dropped packets are destined from the 'net' zone to the 'fw' zone, so they should have been accepted by your second ACCEPT rule above . But as http://www.shorewall.org/support.htm#guidelines described, and as I have repeated hundreds of times on this list when you have a connection problem, I want to see the output of 'shorewall dump' collected as described in that article; together with the other information listed in that article. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaPzTGAAoJEJbms/JCOk0Qw4sP/j0VXGnRQBPAfBv7hi4MhvDD 8XfjIbgnlHMtBukjdt6A5EsStd9y+42OkVX9Ls/AESvIIvtY2P9RXBritWkNoabr Kh6EINucqQHhqXjO2uiVE3p8ghZkQZxacxS3t4lioglktlO3m81FZgIdqBkI7cLZ wwDY/Yi6OTgGUcQZ88C9Oev9z1J8V6eQ6hpH1LpiLtYbLayIe1RXtQT+86E2AcCK py3V4QrugF1mjqAv8wSmvNUrDPk0Lai6tn+9LaCQr3iWlguFvrJ/5v3MTsvZu4ks Mt9IG727Bbals6wyg6rQTVFI7DS+4aWk4rEPa/oCMQ4i6kHKpo6pSYMc2XQF4mBr OkgO3VjU5imi0hZSYK6CXTUbufN6Fj2qEtPZf+LD5hSL+YiLoiVJjzFLQioivmf8 nd+pkjdwhil2RvuJX6odhJUjV7BlM230XyfuOFg4czc2iJLN1pOeO7X/Y+/OJdib S1AuR9wJRUg/k7vS6XYNLT8WAWd2oLNpfawp146PM1wmS2SfJ0bvadOYJSC+BgMt UTBdByiD5wHF/Q6JP2U2c5prrN6Ys8JUtk0zh7rvUhfDT9ptqwun/O7CC3TiKHVB /4vQJvHtp3IFzLRk2BT+yVTg3+FVPWA6QXQITd6XrpQ6kEgRiTTXqe1AV5RDBhAi DcQx//zzTwkWGG0AE5Lv =kBQi -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
