Hi, shorewall version: 3.0.6 /etc/shorewall/zones: ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS net ipv4 loc ipv4 fw firewall vpn ipsec mode=tunnel,mss=1350 /etc/shorewall/hosts: ############################################################################### #ZONE HOST(S) OPTIONS vpn ppp0:10.7.85.0/24 /etc/shorewall/tunnels: ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE ipsecnat net 0.0.0.0/0 vpn''s tunnel is established over a PPPoE connection (ppp0, zone net). Everything is working except for setting the MSS. Hosts in loc can talk to hosts in vpn and vice versa no problem. For connections vpn<->fw shorewall didn''t add a rule to set the MSS however, so connectionts from fw to vpn and vice versa break down on the first packet that''s too large for all the encapsulations. I''ve added this rule manually via an action script now and all is fine. But is there any builtin way to do this? Cheers, Malte ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Malte Starostik wrote:> > > I''ve added this rule manually via an action script now and all is fine. > But is there any builtin way to do this?Not currently. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Malte Starostik wrote:> > I''ve added this rule manually via an action script now and all is fine. > But is there any builtin way to do this?Please try the attached patch to /usr/share/shorewall/firewall. It was created based on the 3.0.8 version but it will apply to 3.0.6 (with an offset of -20 lines). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep schrieb:> Malte Starostik wrote: > > >>I''ve added this rule manually via an action script now and all is fine. >> But is there any builtin way to do this? > > > Please try the attached patch to /usr/share/shorewall/firewall. It was created > based on the 3.0.8 version but it will apply to 3.0.6 (with an offset of -20 lines). >Thanks, that does it indeed. Cheers, Malte ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Malte Starostik wrote:> Tom Eastep schrieb: >> Malte Starostik wrote: >> >> >>> I''ve added this rule manually via an action script now and all is fine. >>> But is there any builtin way to do this? >> >> Please try the attached patch to /usr/share/shorewall/firewall. It was created >> based on the 3.0.8 version but it will apply to 3.0.6 (with an offset of -20 lines). >> > Thanks, that does it indeed.Thanks you for testing it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642