Re: [Shorewall-users] Shorewall 5.2.3.2 - Icinga client doesn't get a connection to Icinga master

Tue, 15 Oct 2019 10:25:31 -0700 

Hello Tom,

thank you very much for taking the time to complete my problem and the 
extensive expertise.
> 
> According to the Shorewall Dump that you submitted, the firewall is
> *not* blocking the connection:
> 
> Chain loc-fw (1 references)
> ...
> 1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
>         tcp dpt:5665 /* ICINGA */
> 
> This indicates that the SYN packet sent by the client was accepted by
> the firewall's ruleset. Note that the loc-fw display in  your previous
> post, three connections had been accepted.
I believe you mean this here:
   0     0 ACCEPT     tcp  --  *      *       192.168.1.70         
192.168.1.66         tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       192.168.1.75         
192.168.1.66         tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       192.168.1.84         
192.168.1.66         tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       192.168.1.85         
192.168.1.66         tcp dpt:5665 /* ICINGA */
The sources are the Icinga-agents which should send their messages to Icinga-
master om 192.168.1.66. I think it wasn't inside the rules because I tried 
several posibilities.
> 
> The server is listening on this port:
> 
> Netid  State   Recv-Q   Send-Q     Local Address:Port       Peer
> Address:Port  ...
> tcp    LISTEN  0        128              0.0.0.0:5665            0.0.0.0:*  
>     users:(("icinga2",pid=80706,fd=18))
> 
> so I see no reason why the connection would not be successful.
> 
> If you temporarily execute 'shorewall clear', does the connection
> succeed (be sure to 'shorewall start' after the test)?
> 
Okay, when I clear the rules of shorewall on this way, I get the same result 
when I do
# nc -vt 192.168.1.66 5665 
neckar.germany.com [192.168.1.66] 5665 (?) : Connection refused
So I would also say, this could be a problem of Icinga configuration.
But then I don't understand this behaviour when shorewall is running on 
192.168.1.66:
neckar ~# nc -vt 192.168.1.66 5665             
neckar.germany.com [192.168.1.66] 5665 (?) open


> > My host is with its two interfaces vmbr0 and
> > vmbr1 part of both networks net and loc, and named as $FW. I don't
> > understand this behaviour.
> 
> The host is *not* part of net and loc -- it is it's own zone named 'fw',
> which is what $FW expands to. This is explained at
> http://www.shorewall.org/Introduction.html.

That I have seen today when I was reading your documentation today.

When the firewall is correctly running in your view, so I have search the 
refused connection at Icinga. Apart from the connection behavior on the host, 
as just shown.

Best regards

Andreas



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to