On 9/1/2021 11:40 AM, Matt Darfeuille wrote: > On 9/1/2021 10:55 AM, Franz Holzinger wrote: >>>> I have this policy file: >>>> fw net ACCEPT >>>> fw dock ACCEPT >>>> dock all ACCEPT >>>> net all DROP info >>>> all all REJECT info >>>> >> >>> Given the last policy, are you seeing anything in the log (REJECT for >>> that port)? >> I get these logfile entries for the DDEV url >> https://umgebung1.ddev.site:8443/: >> >> Sep 1 10:36:44 franz-820 kernel: [16328.774791] INPUT REJECT >> IN=br-81fbb014aa75 OUT= PHYSIN=veth0bab8b8 >> MAC=02:42:c7:d7:7d:a9:02:42:ac:12:00:06:08:00 SRC=172.18.0.6 DST=172.18.0.1 >> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=36868 >> WINDOW=65160 RES=0x00 ACK SYN URGP=0 >> Sep 1 10:36:59 franz-820 slack.desktop[2342]: [09/01/21, 10:36:59:270] info: >> [DND] (T024TUMLZ) Checking for changes in DND status for the following >> members: U07FRBCHE >> Sep 1 10:36:59 franz-820 slack.desktop[2342]: [09/01/21, 10:36:59:270] info: >> [DND] (T024TUMLZ) Will check for changes in DND status again in 5 minutes >> Sep 1 10:37:00 franz-820 kernel: [16345.158548] INPUT REJECT >> IN=br-81fbb014aa75 OUT= PHYSIN=veth0bab8b8 >> MAC=02:42:c7:d7:7d:a9:02:42:ac:12:00:06:08:00 SRC=172.18.0.6 DST=172.18.0.1 >> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=36868 >> WINDOW=65160 RES=0x00 ACK SYN URGP=0 >> >> >> shorewall logwatch: >> >> Sep 1 10:52:19 INPUT REJECT IN=br-81fbb014aa75 OUT= PHYSIN=veth0bab8b8 >> SRC=172.18.0.6 DST=172.18.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF >> PROTO=TCP SPT=8443 DPT=37382 WINDOW=65160 RES=0x00 ACK SYN URGP=0 >> > > Clearly the traffic between interfaces (br-81fbb014aa75 and veth0bab8b8 > is 'rejected. > > Are the containers on a bridge? > > It looks like the interfaces are not properly defined in the zones. >
Are you trying to access those containers remotely, if so you need to allow traffic from the net zone to the containers zone. >From the log: "SRC=172.18.0.6 DST=172.18.0.1" This looks to indicate that ip 0.6 is trying to access 0.1 in the same subnet. But 'ddev' is listening on 127.0.0.1. Any one here using 'ddev' and Shorewall? If you are still not getting anywhere, please follow the instructions at (2) followed by (3). Some more explanation from the OP (1). 1) https://forums.mageia.org/en/viewtopic.php?t=14305&p=83812 2) https://shorewall.org/troubleshoot.htm#Connections 3) https://shorewall.org/support.htm#Guidelines -- Matt Darfeuille <m...@shorewall.org> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
