Hi, > Hi Bas, I think the sequence numbers are supposed to be the same, yes. > When looking at your logs, it looks like the icmp echo request is > accepted, however not by rule 28 or 29. Both these rules have -i ipsec0 > and -o eth0. The request is in the opposite direction: IN=eth0 > OUT=ipsec0
> The reply should have the conntrack state 'ESTABLISHED' and thus rule > 28 > and 29 won't match for the reply either, since they match only on state > NEW. Clear > What seems to be happening here is that for some reason the icmp echo > reply is not marked ESTABLISHED by conntrack and therefore not accepted > automatically by the Vuurmuur ruleset. You should add some manual > iptables logging rules to confirm this: <some rules to add> > Let me know the results! And the results are .... ------------------------[vuurmuur]------------------------------- │May 1 18:46:01: ACCEPT ping Bas.Local.lan -> WSBAS.LAN.Seaspan (in: eth2 out: ipsec0 10.1.0.193 -> 192.168.70.29 ICMP type 8 code 0 len:60 ttl:127) │ │May 1 18:46:01: DROP echo-reply WSBAS.LAN.Seaspan -> Bas.Local.lan 'fw policy' (in: ipsec0 out: eth2 192.168.70.29 -> 10.1.0.193 ICMP type 0 code 0 len:60 ttl:125) │ │May 1 18:46:06: ACCEPT ping Bas.Local.lan -> WSBAS.LAN.Seaspan (in: eth2 out: ipsec0 10.1.0.193 -> 192.168.70.29 ICMP type 8 code 0 len:60 ttl:127) │ │May 1 18:46:06: DROP echo-reply WSBAS.LAN.Seaspan -> Bas.Local.lan 'fw policy' (in: ipsec0 out: eth2 192.168.70.29 -> 10.1.0.193 ICMP type 0 code 0 len:60 ttl:125) -------------------------------------------------------------------- ---------------[Extra rules that I added:]-------------------------- iptables -I FORWARD 1 -p icmp -j LOG --log-prefix "BAS: icmp " iptables -I FORWARD 1 -p icmp --icmp-type echo-reply -m state --state NEW -j LOG --log-prefix "BAS: echo reply state NEW " iptables -I FORWARD 1 -p icmp --icmp-type echo-reply -m state --state ESTABLISHED -j LOG --log-prefix "BAS: echo reply state EST " iptables -I FORWARD 1 -p icmp --icmp-type echo-reply -m state --state RELATED -j LOG --log-prefix "BAS: echo reply state REL " -------------------------------------------------------------------- --------------------------[syslog]---------------------------------- May 1 18:46:01 S010600e0b601c51e kernel: BAS: icmp IN=eth2 OUT=ipsec0 SRC=10.1.0.193 DST=192.168.70.29 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=18948 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=15 May 1 18:46:01 S010600e0b601c51e kernel: BAS: echo reply state EST IN=ipsec0 OUT=eth2 SRC=192.168.70.29 DST=10.1.0.193 LEN=60 TOS=0x00 PREC=0x00 TTL=125 ID=3269 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=15 May 1 18:46:01 S010600e0b601c51e kernel: BAS: icmp IN=ipsec0 OUT=eth2 SRC=192.168.70.29 DST=10.1.0.193 LEN=60 TOS=0x00 PREC=0x00 TTL=125 ID=3269 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=15 May 1 18:46:06 S010600e0b601c51e kernel: BAS: icmp IN=eth2 OUT=ipsec0 SRC=10.1.0.193 DST=192.168.70.29 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=19127 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=16 May 1 18:46:06 S010600e0b601c51e kernel: BAS: echo reply state EST IN=ipsec0 OUT=eth2 SRC=192.168.70.29 DST=10.1.0.193 LEN=60 TOS=0x00 PREC=0x00 TTL=125 ID=3516 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=16 May 1 18:46:06 S010600e0b601c51e kernel: BAS: icmp IN=ipsec0 OUT=eth2 SRC=192.168.70.29 DST=10.1.0.193 LEN=60 TOS=0x00 PREC=0x00 TTL=125 ID=3516 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=16 -------------------------------------------------------------------- I excluded the DROP actions from the syslog. They are caught by the final drop rule. Somehow the rules don't accept it as established? > Cheers, > Victor Bas ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
