I re-installed one of my Linux routers today and was having problems getting workstations from one end of the VPN link to ping workstations on the other side of the link. Workstation A <==> Shorewall A <= VPN => Shorewall B <==> Workstation B Workstation A could ping all the way up to the inside interface on Shorewall B, but not to the workstations beyond it. Ended up finding out the config files were identical on each Shorewall router (except for the appropriate IP/network differences) except for the policy file. Both of them now look like the copy below and everything works fine. However, before I fixed it, the broken end had the two vpn lines below the net -> all line. My question is, why did the placement of these two lines make all the difference? I''ve got everything working now, I''m just trying to learn something....:) ##################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL # loc all ACCEPT $FW all ACCEPT vpn loc ACCEPT vpn $FW ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info # #LAST LINE -- DO NOT REMOVE -- ----------------------------------------------------- Have Fun, Suffer and Survive, or Get Lost in the Net!
On Saturday 14 February 2004 10:34 pm, Mark Hoover wrote:> I re-installed one of my Linux routers today and was having problems > getting workstations from one end of the VPN link to ping workstations > on the other side of the link. > > Workstation A <==> Shorewall A <= VPN => Shorewall B <==> Workstation B > > Workstation A could ping all the way up to the inside interface on > Shorewall B, but not to the workstations beyond it. Ended up finding > out the config files were identical on each Shorewall router (except for > the appropriate IP/network differences) except for the policy file. > Both of them now look like the copy below and everything works fine. > > However, before I fixed it, the broken end had the two vpn lines below > the net -> all line. My question is, why did the placement of these two > lines make all the difference? > > I''ve got everything working now, I''m just trying to learn something....:)I can''t tell you without seeing your /etc/shorewall/interfaces and /etc/shorewall/hosts files. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> On Saturday 14 February 2004 10:34 pm, Mark Hoover wrote: > >>I re-installed one of my Linux routers today and was having problems >>getting workstations from one end of the VPN link to ping workstations >>on the other side of the link. >> >>Workstation A <==> Shorewall A <= VPN => Shorewall B <==> Workstation B >> >>Workstation A could ping all the way up to the inside interface on >>Shorewall B, but not to the workstations beyond it. Ended up finding >>out the config files were identical on each Shorewall router (except for >>the appropriate IP/network differences) except for the policy file. >>Both of them now look like the copy below and everything works fine. >> >>However, before I fixed it, the broken end had the two vpn lines below >>the net -> all line. My question is, why did the placement of these two >>lines make all the difference? >> >>I''ve got everything working now, I''m just trying to learn something....:) > > > I can''t tell you without seeing your /etc/shorewall/interfaces and > /etc/shorewall/hosts files.I''ve included /etc/shorewall/interfaces. I''ve never edited /etc/shorewall/hosts so it''s the same empty one that comes in the Shorewall RPM. ################################################################# #ZONE INTERFACE BROADCAST OPTIONS # net eth0 detect dhcp loc eth1 172.16.2.255 vpn tun0 172.16.3.255 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -- ----------------------------------------------------- Have Fun, Suffer and Survive, or Get Lost in the Net! Mark Hoover mahoover@ispaceonline.org
On Sunday 15 February 2004 09:14 am, Mark Hoover wrote:> > I''ve included /etc/shorewall/interfaces. I''ve never edited > /etc/shorewall/hosts so it''s the same empty one that comes in the > Shorewall RPM. > > ################################################################# > #ZONE INTERFACE BROADCAST OPTIONS > # > net eth0 detect dhcp > loc eth1 172.16.2.255 > vpn tun0 172.16.3.255 > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEI can''t see how the ordering of the policy file had anything to do with your problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> On Sunday 15 February 2004 09:14 am, Mark Hoover wrote: > > >>I''ve included /etc/shorewall/interfaces. I''ve never edited >>/etc/shorewall/hosts so it''s the same empty one that comes in the >>Shorewall RPM. >> >>################################################################# >>#ZONE INTERFACE BROADCAST OPTIONS >># >>net eth0 detect dhcp >>loc eth1 172.16.2.255 >>vpn tun0 172.16.3.255 >># >>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > I can''t see how the ordering of the policy file had anything to do with your > problem.I couldn''t either, thought I was going crazy. Thanks for the lookover though....:) -- ----------------------------------------------------- Have Fun, Suffer and Survive, or Get Lost in the Net! Mark Hoover mahoover@ispaceonline.org