Re: [Shorewall-users] Shorewall 5.2.3.2 - Icinga client doesn't get a connection to Icinga master

Fri, 18 Oct 2019 09:58:32 -0700 

> 
> Andreas,
> 
> The dump you sent is not a bit helpful, as the configuration had
> obviously changed by the time that problems reported above were observed
> (in the dump, the loc-fw policy is ACCEPT whereas it was obviously
> REJECT when the log message above was produced). Also, no attempt to
> connect was made between the time that the firewall was started with
> that configuration and the time when the dump was taken. Does everything
> work properly when the policy is ACCEPT?
> 
> -Tom

Hello Tom,

after our last post I changed policy like here
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST 

#loc            fw              ACCEPT 
net             all             DROP            info 
fw              all             ACCEPT          info 
loc             all             ACCEPT          info 
# THE FOLLOWING POLICY MUST BE LAST 
all             all             REJECT          info

But there was the policy at ACCEPT the whole time, never REJECT. Only the 
destition I have changed.
And today I have the rules around port 5665 limited to the connection between 
192.168.1.66 and 192.168.1.70 to keep track. I did the same with removing the 
ICINGA macro from the rules in favor of ACTION.

I have just repeated the whole action after a shorewall clear && shorewall 
start

mx:~ # openssl s_client -connect 192.168.1.66:5665 
140027152065664:error:0200206F:system library:connect:Connection refused:../
crypto/bio/b_sock2.c:110: 
140027152065664:error:2008A067:BIO routines:BIO_connect:connect error:../
crypto/bio/b_sock2.c:111: 
connect:errno=111

and
neckar:/etc/shorewall # shorewall show log | grep '192.168.1.70' 
Oct 18 18:47:17 loc-net ACCEPT IN=vmbr1 OUT=vmbr0 SRC=192.168.1.70 
DST=5.9.124.53 LEN=192 TOS=0x00 PREC=0x00 TTL=63 ID=42263 DF PROTO=UDP 
SPT=35273 DPT=24441 LEN=172  
Oct 18 18:47:20 Shorewall:loc-fw:REJECT:IN=vmbr1 OUT= SRC=192.168.1.70 
DST=192.168.1.66 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8263 DF PROTO=TCP 
SPT=42332 DPT=5665 WINDOW=29200 RES=0x00 SYN 
URGP=0 

You can see the connection is still rejected. I have generated a new dump.

Best regards

Andreas

Attachment: shorewall_dump-2.txt.bz2
Description: application/bzip

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to