On 10/18/19 7:51 AM, Andreas Günther wrote: > > Am Dienstag, 15. Oktober 2019, 19:23:57 CEST schrieb Andreas Günther: > > > > > > > > That I have seen today when I was reading your documentation today. > > > > > > When the firewall is correctly running in your view, so I have > search the > > > refused connection at Icinga. Apart from the connection behavior on the > > > host, as just shown. > > > > Hi, > > > > my problem isn't still solved. I have checked Icinga2 on the host and > tested the same configuration on another KVM-Guest 192.168.200.7 in a > seperate network 192.168.200.0 without any firewall with a Icinga > client 192.168.200.2. There aren't any connections problems. > > > > On my Host Icinga is listening: > > # netstat -tlpn | grep 5665 > > tcp 0 0 0.0.0.0:5665 0.0.0.0:* LISTEN 3490/icinga2 > > My rules für tcp/5665 looks like > > 0 0 ACCEPT tcp -- * * 192.168.1.66 192.168.1.70 tcp dpt:5665 > > 1 60 ACCEPT tcp -- * * 192.168.1.70 192.168.1.66 tcp dpt:5665 > > Now I try to get on the client the certificate from Icinga like > > mx:~ # openssl s_client -connect 192.168.1.66:5665 > > 140635865412736:error:0200206F:system library:connect:Connection > refused:../crypto/bio/b_sock2.c:110: > 140635865412736:error:2008A067:BIO routines:BIO_connect:connect > error:../crypto/bio/b_sock2.c:111: > connect:errno=111 > > At the same time in the log of shorewall I see: > > neckar:/etc/shorewall # shorewall show log | grep '192.168.1.66' > > Oct 18 12:45:10 Shorewall:loc-fw:REJECT:IN=vmbr1 OUT= SRC=192.168.1.70 > DST=192.168.1.66 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44700 DF > PROTO=TCP SPT=42882 DPT=5665 WINDOW=29200 RES=0x00 SYN URGP=0 > > The same from the host looks like > > neckar:/etc/shorewall # openssl s_client -connect 192.168.1.66:5665 > > CONNECTED(00000003) > Can't use SSL_get_servername > depth=1 CN = Icinga CA > verify error:num=19:self signed certificate in certificate chain > verify return:1 > depth=1 CN = Icinga CA > verify return:1 > depth=0 CN = neckar.germany.com > verify return:1 > ... > > I don't believe anymore on a problem at Icinga, it is something with > shorewall. But I don't know what. > > Could it have something to do with the options or missing options in > interfaces? > > #ZONE INTERFACE OPTIONS net $NET_IF > dhcp,routefilter,tcpflags loc $LOC_IF > routeback,bridge > > Best regards > > > > Andreas > > > Andreas,
The dump you sent is not a bit helpful, as the configuration had obviously changed by the time that problems reported above were observed (in the dump, the loc-fw policy is ACCEPT whereas it was obviously REJECT when the log message above was produced). Also, no attempt to connect was made between the time that the firewall was started with that configuration and the time when the dump was taken. Does everything work properly when the policy is ACCEPT? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
