-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello, > > > > #--- file: policy --- > #vpn policies: > loc vpn ACCEPT info > fw vpn ACCEPT info > vpn loc ACCEPT info > vpn fw ACCEPT info > > net all DROP info > all all REJECT info > > > #--- file: tunnels --- > ipsec net 62.xxx.xxx.202 > > > #--- file: hosts --- > vpn ppp0:192.168.176.0/24,62.xxx.xxx.202 ipsec > > > #--- file: interfaces --- > net ppp0 detect routefilter,tcpflags,nosmurfs > loc eth0 detect dhcp > > #--- file: ipsec > vpn Yes > > > with the above, I cannot telnet from 192.168.176.2 within the > VPN to 192.168.177.10 (local). The same is with telneting from > 192.168.176.1 (=62.xxx.xxx.202). > from syslog: > net2all:DROP:IN=ppp0 OUT=eth0 > SRC=192.168.176.2 DST=192.168.177.10 > LEN=60 TOS=0x10 PREC=0x00 TTL=62 ID=48715 DF PROTO=TCP > SPT=35378 DPT=9100 WINDOW=5440 RES=0x00 SYN URGP=0 > > I need to add these rules: > ACCEPT net:62.xxx.xxx.202 loc all > ACCEPT net:192.168.176.0/24 loc all > > But, the policy vpn->loc should have made this possible already, > right? > Is my policy file wrong? > Do I need to specify vpn as GATEWAY_ZONE in file ipsec?Something is wrong -- Try moving the ''vpn'' zone to the top of your /etc/shorewall/zones file. If that doesn''t work, please forward the output of "shorewall status". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZto3O/MAbZfjDLIRAlJ8AKC54xQOGcI+yA7W8ywVlryc4raeIACfQPjk pvJtUGZAWbcpYiV+IQK87dU=VibO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> hi tom... > > >>>that worked, thanks >> >>I would still like to see the output of "shorewall status" -- thanks, > > > the last two emails was with 2.1.9 and with vpn policy first. > or did you want to see it with vpn policy last?No, thanks. It turns out that the IPSEC zones do have to come first in /etc/shorewall/zones. This is to work around a restriction in the policy match extension that only allows an input or an output policy to be specified but not both. I''ve updated the 2.6 IPSEC documentation to reflect that. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZxKJO/MAbZfjDLIRAkcMAKC3ZaR4Nm0Kx0GgzO/V0qadfllD3ACgn9cB zqwbnvYqwrXiuQx1Q1BryvI=aD6i -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> > It turns out that the IPSEC zones do have to come first in > /etc/shorewall/zones. This is to work around a restriction in the policy > match extension that only allows an input or an output policy to be > specified but not both. >I''ve been able to cleanly remove this restriction -- the code is in the CVS Shorewall2/ project and will be included in 2.1.11. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZyxGO/MAbZfjDLIRAo0EAKCr8vIvPqdXFjEzhN3Cf/Ynh5pPZACfZTk0 ORy7uApPXlfLCLPedhd3O14=Y0Ch -----END PGP SIGNATURE-----