Re: [Shorewall-users] Shorewall 5.2.3.2 - Icinga client doesn't get a connection to Icinga master

Fri, 18 Oct 2019 10:20:14 -0700 

Am Freitag, 18. Oktober 2019, 18:56:09 CEST schrieb Andreas Günther:
> > Andreas,
> > 
> > The dump you sent is not a bit helpful, as the configuration had
> > obviously changed by the time that problems reported above were observed
> > (in the dump, the loc-fw policy is ACCEPT whereas it was obviously
> > REJECT when the log message above was produced). Also, no attempt to
> > connect was made between the time that the firewall was started with
> > that configuration and the time when the dump was taken. Does everything
> > work properly when the policy is ACCEPT?
> > 
> > -Tom
> 
> Hello Tom,
> 
> after our last post I changed policy like here
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> 
> #loc            fw              ACCEPT
> net             all             DROP            info
> fw              all             ACCEPT          info
> loc             all             ACCEPT          info
> # THE FOLLOWING POLICY MUST BE LAST
> all             all             REJECT          info
> 
> But there was the policy at ACCEPT the whole time, never REJECT. Only the
> destition I have changed.
> And today I have the rules around port 5665 limited to the connection
> between 192.168.1.66 and 192.168.1.70 to keep track. I did the same with
> removing the ICINGA macro from the rules in favor of ACTION.
> 
> I have just repeated the whole action after a shorewall clear && shorewall
> start
> 
> mx:~ # openssl s_client -connect 192.168.1.66:5665
> 140027152065664:error:0200206F:system library:connect:Connection refused:../
> crypto/bio/b_sock2.c:110:
> 140027152065664:error:2008A067:BIO routines:BIO_connect:connect error:../
> crypto/bio/b_sock2.c:111:
> connect:errno=111
> 
> and
> neckar:/etc/shorewall # shorewall show log | grep '192.168.1.70'
> Oct 18 18:47:17 loc-net ACCEPT IN=vmbr1 OUT=vmbr0 SRC=192.168.1.70
> DST=5.9.124.53 LEN=192 TOS=0x00 PREC=0x00 TTL=63 ID=42263 DF PROTO=UDP
> SPT=35273 DPT=24441 LEN=172
> Oct 18 18:47:20 Shorewall:loc-fw:REJECT:IN=vmbr1 OUT= SRC=192.168.1.70
> DST=192.168.1.66 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8263 DF PROTO=TCP
> SPT=42332 DPT=5665 WINDOW=29200 RES=0x00 SYN
> URGP=0
> 
> You can see the connection is still rejected. I have generated a new dump.
> 
> Best regards
> 
> Andreas

Hi,

it is possible that this is a limitation based on interface could be? And that 
depending on VM technology special parameters would have to be set in 
shorewall?
I use here KVM on Debian Linux Buster.

Best regards

Andreas
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users























					Reply via email to