Hello, I guess this is an easy one, but I can''t figure it out: I have setup a pptp VPN server on the firewall, with the vnp users in a separate zone as in http://www.shorewall.net/PPTP.htm#ServerFW, "Remote Users in a Separate Zone" guide. I don''t want to give the vpn users access to my loc, net or dmz zones, I just want them to be able to see each other. If I try to ping one from another I get this: Dec 10 11:52:28 gateway kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 SRC=192.168.97.234 DST=192.168.97.236 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11705 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=2560 Where should I put the rule to enable the above traffic ? I already placed the rule vpn vpn ACCEPT in my policy file, but with no results. Thanks, Marius
Hello, I guess this is an easy one, but I can''t figure it out: I have setup a pptp VPN server on the firewall, with the vnp users in a separate zone as in http://www.shorewall.net/PPTP.htm#ServerFW, "Remote Users in a Separate Zone" guide. I don''t want to give the vpn users access to my loc, net or dmz zones, I just want them to be able to see each other. If I try to ping one from another I get this: Dec 10 11:52:28 gateway kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 SRC=192.168.97.234 DST=192.168.97.236 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11705 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=2560 Where should I put the rule to enable the above traffic ? And what is the rule I need ? I already placed the rule vpn vpn ACCEPT in my policy file, but with no results. Thanks, Marius
On Wednesday 10 December 2003 02:04 am, Marius Stan wrote: Please send your post only once -- posting the same problem/question multiple times doesn''t speed up a response and tends to annoy people.> > I have setup a pptp VPN server on the firewall, with the vnp users in a > separate zone as in > http://www.shorewall.net/PPTP.htm#ServerFW, "Remote Users in a Separate > Zone" guide. > > I don''t want to give the vpn users access to my loc, net or dmz zones, I > just want them to be able to see each other. > If I try to ping one from another I get this: > > Dec 10 11:52:28 gateway kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 > SRC=192.168.97.234 DST=192.168.97.236 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=11705 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=2560 > > Where should I put the rule to enable the above traffic ? > > I already placed the rule > vpn vpn ACCEPT > in my policy file, but with no results. >I assume that in /etc/shorewall/interfaces you have: vpn ppp+ - You need to add the ''routeback'' option to that entry. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi: Pings are disallowed by default. Have you gone over this page: http://www.shorewall.net/ping.html Your really need to post the information listed on http://www.shorewall.net/support.htm To help us, help you, with out guessing what you have in the other config files and to rule out other issues such as routing. Jerry Vonau ----- Original Message ----- From: "Marius Stan" <mstan@asesoft.ro> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, December 10, 2003 07:49 Subject: [Shorewall-users] forwarding ppp - ppp Hello, I guess this is an easy one, but I can''t figure it out: I have setup a pptp VPN server on the firewall, with the vnp users in a separate zone as in http://www.shorewall.net/PPTP.htm#ServerFW, "Remote Users in a Separate Zone" guide. I don''t want to give the vpn users access to my loc, net or dmz zones, I just want them to be able to see each other. If I try to ping one from another I get this: Dec 10 11:52:28 gateway kernel: Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 SRC=192.168.97.234 DST=192.168.97.236 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11705 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=2560 Where should I put the rule to enable the above traffic ? And what is the rule I need ? I already placed the rule vpn vpn ACCEPT in my policy file, but with no results. Thanks, Marius _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wednesday 10 December 2003 06:45 am, Marius Stan wrote:> > > > You need to add the ''routeback'' option to that entry. > > Tried this; didn''t work >Then you must not be running version 1.4.8. You must be running that version in order for ''routeback'' to work with wildcard interface names. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wednesday 10 December 2003 06:53 am, Marius Stan wrote:> You''re right, shorewall-1.4.7-1 here. > I''ll upgrade the firewall and try your suggestion. > > Thanks > > Marius > > PS: this is just a thought: any chance of using the hosts file instead of > upgrading ?No -- sorry. Upgrading from 1.4.7 to 1.4.8 is really painless -- the upgrade procedure retains all of your existing config files so you just install the new RPM or run install.sh from the tarball and restart shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net