Hello All, I''ve got Openswan and L2tpd set up on the box running shorewall, and am able to successfully connect the roadwarrior to the vpn, get a local address, ping hosts. Everything seems to be working, except that whenever the remote machine attempts to do a DNS lookup, I get errors like the following: Jun 21 08:04:03 net2all:DROP:IN=eth1 OUT= SRC=155.97.239.76 DST=224.0.0.251 LEN=108 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=88 I''m not sure even where to begin with this. eth1 is my external interface, eth0 is my internal interface (I know that''s backwards from what might be expected). I''m running Shorewall 3.0.6. 155.97.239.76 is the ip address of eth1, though that is dynamic. I have ddns setup to keep the ip sync''d with a domain name. What I''m confused about is that the packet seems to be trying to go to the firewall, but the DST address is not associated with the firewall in any way. As per the instructions on the getting help page, I issued a shorewall reset, caused the remote machine to do a dns lookup, and ran shorewall dump > /tmp/status.txt. The result is attached as status.txt.gz I''m guessing I''ve got some weird configuration issues, and that I just didn''t quite follow the IPSEC with 2.6 kernel how-to correctly, but I''ve been over and over it and can''t figure out what I''m doing wrong. I''ve attached rules, tunnels, policy, interfaces, and hosts from /etc/shorewall as config_files.tar.gz: Thanks in advance for any help, and let me know if you need more information from me. Dave All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
David Burrow wrote:> Hello All, > > I''ve got Openswan and L2tpd set up on the box running shorewall, and > am able to successfully connect the roadwarrior to the vpn, get a > local address, ping hosts. Everything seems to be working, except > that whenever the remote machine attempts to do a DNS lookup, I get > errors like the following: > > Jun 21 08:04:03 net2all:DROP:IN=eth1 OUT= SRC=155.97.239.76 > DST=224.0.0.251 LEN=108 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP > SPT=5353 DPT=5353 LEN=88 >Try setting PKTTYPE=No in shorewall.conf -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Tom, Thanks! That seems to have solved the problem! Dave On 6/21/06, Tom Eastep <teastep@shorewall.net> wrote:> David Burrow wrote: > > Hello All, > > > > I''ve got Openswan and L2tpd set up on the box running shorewall, and > > am able to successfully connect the roadwarrior to the vpn, get a > > local address, ping hosts. Everything seems to be working, except > > that whenever the remote machine attempts to do a DNS lookup, I get > > errors like the following: > > > > Jun 21 08:04:03 net2all:DROP:IN=eth1 OUT= SRC=155.97.239.76 > > DST=224.0.0.251 LEN=108 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP > > SPT=5353 DPT=5353 LEN=88 > > > > Try setting PKTTYPE=No in shorewall.conf > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > All the advantages of Linux Managed Hosting--Without the Cost and Risk! > Fully trained technicians. The highest number of Red Hat certifications in > the hosting industry. Fanatical Support. Click to learn more > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >-- David Burrow Mobile: (801)755-3375 Office: (801)587-2930 All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642