I would think you would want:
interfaces:
- eth0 routefilter=0,logmartians=1
hosts:
vpn eth0:172.58.43.0/24
net eth0:0.0.0.0/0
I'm assuming 172.58.43.0/24 is a private subnet (RFC1918).
Bill
On 12/23/2017 7:52 PM, Colony.three via Shorewall-users wrote:
I don't understand this:
[184624.505739] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10959 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184627.506014] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10960 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184630.506281] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10961 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184633.506518] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10962 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184636.506136] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10963 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184639.506758] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10964 PROTO=UDP SPT=1024 DPT=500 LEN=388
[184642.505948] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=85.6.183.101
DST=192.168.111.16 LEN=408 TOS=0x00 PREC=0x00 TTL=115 ID=10965 PROTO=UDP SPT=1024 DPT=500 LEN=388
[189767.312541] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46913 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189769.362835] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46914 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189772.174498] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46915 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189776.045296] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46916 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
[189781.611542] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=172.58.43.44
DST=192.168.111.16 LEN=732 TOS=0x00 PREC=0x00 TTL=54 ID=46917 DF PROTO=UDP SPT=65138 DPT=500 LEN=712
... when policy has:
$FW all REJECT info(uid)
net all DROP info(uid)
vpn all DROP info(uid)
#local all REJECT info(uid)
all all REJECT info(uid)
... and rules has:
# VPN
ACCEPT vpn $FW udp 500,ipsec-nat-t -
ACCEPT net $FW udp 500,ipsec-nat-t -
In interfaces I only have:
- lo ignore
net eth0 tcpflags,nosmurfs,sourceroute=0
... with no vpn. Could this be the problem?
And I don't understand why it is that in rules when I specify the port as isakmp (rather than 500), it gets blocked? Same
reason, whatever it is?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
