--=.wqjZy''jNmQd)D9
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Has anyone messed with opportunistic encryption in FreeS/WAN? As soon as
I run ipsec start, I get the following errors:
Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0
SRC=64.216.105.3 DST=192.203.230.10 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=UDP SPT=33012 DPT=53 LEN=64
Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0
SRC=64.216.105.3 DST=208.191.32.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64
ID=13340 DF PROTO=UDP SPT=33087 DPT=53 LEN=5
As soon as I run ipsec stop, they stop... This system works fine for
normal IPSec tunnels, as I followed Tom''s great guides on his
informative
website ;) so I''m going to pass on posting configs this round.. I do
run a
DNS server on this box, so this shouldn''t be client requests... Again,
everything works fine until I try enabling OE... I searched the website,
and the mailing list archives and couldn''t find where this had been
discussed before... As usual, points, tips, tricks, smacks upside the back
of the head, or anything else that could be considered help appreciated ;)
---
Homer Parker
http://www.homershut.net
telnet://bbs.homershut.net
This e-mail message is 100% Microsoft free!
WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST.
/"\
\ / ASCII Ribbon Campaign
X Against HTML Mail
/ \
--=.wqjZy''jNmQd)D9
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9v4VnrgrN227HZ+8RAqprAJ0cUBzT3QOsbb/WQqik6EAvnI3CIgCcDqiT
vt13H2GVCD5W+0BjZSXTwnY=uFNe
-----END PGP SIGNATURE-----
--=.wqjZy''jNmQd)D9--
> -----Original Message----- > From: Homer Parker > Subject: [Shorewall-users] Opportunistic encryption > > > Has anyone messed with opportunistic encryption in > FreeS/WAN? As soon as I run ipsec start, I get the following errors: > > Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0 > SRC=64.216.105.3 DST=192.203.230.10 LEN=84 TOS=0x00 PREC=0x00 > TTL=64 ID=0 DF PROTO=UDP SPT=33012 DPT=53 LEN=64 > Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0 > SRC=64.216.105.3 DST=208.191.32.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 > ID=13340 DF PROTO=UDP SPT=33087 DPT=53 LEN=5 >I messed around with OE/IPSEC months ago, but behind my firewall. My goal was just to determine the security impact of implementing OE within IPSEC. I remember getting OE to work, but having to add a TSIG/TXT record to my DNS zones (which could then be queried using dig) kinda bothered me from a security perspective. Anyway, based on my limited understanding of IPSEC/OE -- consider using the ipsec _updown script to add the appropriate shorewall rules to allow DNS queries to/from the ipsec client. Steve Cowles
Cowles, Steve wrote:>>-----Original Message----- >>From: Homer Parker >>Subject: [Shorewall-users] Opportunistic encryption >> >> >>Has anyone messed with opportunistic encryption in >>FreeS/WAN? As soon as I run ipsec start, I get the following errors: >> >>Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0 >>SRC=64.216.105.3 DST=192.203.230.10 LEN=84 TOS=0x00 PREC=0x00 >>TTL=64 ID=0 DF PROTO=UDP SPT=33012 DPT=53 LEN=64 >>Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0 >>SRC=64.216.105.3 DST=208.191.32.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 >>ID=13340 DF PROTO=UDP SPT=33087 DPT=53 LEN=5 >> > > > I messed around with OE/IPSEC months ago, but behind my firewall. My goal > was just to determine the security impact of implementing OE within IPSEC. I > remember getting OE to work, but having to add a TSIG/TXT record to my DNS > zones (which could then be queried using dig) kinda bothered me from a > security perspective. > > Anyway, based on my limited understanding of IPSEC/OE -- consider using the > ipsec _updown script to add the appropriate shorewall rules to allow DNS > queries to/from the ipsec client. >To eliminate the above messages, you could simply add a static rule such as: ACCEPT fw vpn udp 53 Where ''vpn'' is the zone used for the remote client/network. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--UaVKN:=.6O.R.C0z Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 30 Oct 2002 07:56:39 -0600 "Cowles, Steve" <Steve@SteveCowles.com> wrote....> > -----Original Message----- > > From: Homer Parker > > Subject: [Shorewall-users] Opportunistic encryption > > > > > > Has anyone messed with opportunistic encryption in > > FreeS/WAN? As soon as I run ipsec start, I get the following errors: > > > > Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0 > > SRC=64.216.105.3 DST=192.203.230.10 LEN=84 TOS=0x00 PREC=0x00 > > TTL=64 ID=0 DF PROTO=UDP SPT=33012 DPT=53 LEN=64 > > Oct 29 23:51:20 linux kernel: Shorewall:all2all:REJECT:IN= OUT=ipsec0 > > SRC=64.216.105.3 DST=208.191.32.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 > > ID=13340 DF PROTO=UDP SPT=33087 DPT=53 LEN=5 > > > > I messed around with OE/IPSEC months ago, but behind my firewall. My > goal was just to determine the security impact of implementing OE within > IPSEC. I remember getting OE to work, but having to add a TSIG/TXT > record to my DNS zones (which could then be queried using dig) kinda > bothered me from a security perspective.Got that... It''s just the public part of your key, so I don''t see that as an issue security wise..> Anyway, based on my limited understanding of IPSEC/OE -- consider using > the ipsec _updown script to add the appropriate shorewall rules to allow > DNS queries to/from the ipsec client.I''ll look into that... Thanks! --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --UaVKN:=.6O.R.C0z Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wAeVrgrN227HZ+8RAofcAJ0QyqEkJyhbmAkw41WnsX4/74QN+QCeKV3G Gl888CCFn66TS0rmHreCx1w=Eyuu -----END PGP SIGNATURE----- --UaVKN:=.6O.R.C0z--
--zz.qs=.Abtn=:eMA Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 30 Oct 2002 06:21:35 -0800 Tom Eastep <teastep@shorewall.net> wrote....> To eliminate the above messages, you could simply add a static rule such > as: > > ACCEPT fw vpn udp 53 > > Where ''vpn'' is the zone used for the remote client/network.That fixed that error.... Brought in a whole slew of new ones ;) These are from klips, so I''ll chase them through FreeS/WAN first ;) But, I did come up with a couple I don''t remember seeing before: Oct 30 10:36:45 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 ID=13040 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 Oct 30 10:36:48 linux kernel: NET: 12 messages suppressed. Oct 30 10:36:48 linux kernel: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1 Oct 30 10:36:48 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 ID=13041 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 Looks to me like pings to see if the root servers are alive? --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --zz.qs=.Abtn=:eMA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wApergrN227HZ+8RAtsUAJ4uejVCNj2C34ZjGxLwg5juHkd7BACgv50b l9o4lx8F/qxlxmv/k8taazk=uIlx -----END PGP SIGNATURE----- --zz.qs=.Abtn=:eMA--
--1b=.''0HVP7lLi5FJ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 30 Oct 2002 10:35:33 -0600 Homer Parker <hparker@homershut.net> wrote....> On Wed, 30 Oct 2002 06:21:35 -0800 Tom Eastep <teastep@shorewall.net> > wrote.... > > > > To eliminate the above messages, you could simply add a static rule > > such as: > > > > ACCEPT fw vpn udp 53 > > > > Where ''vpn'' is the zone used for the remote client/network. > > That fixed that error.... Brought in a whole slew of new ones ;) > These > are from klips, so I''ll chase them through FreeS/WAN first ;) But, I did > come up with a couple I don''t remember seeing before: > > Oct 30 10:36:45 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 > ID=13040 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 > Oct 30 10:36:48 linux kernel: NET: 12 messages suppressed. > Oct 30 10:36:48 linux kernel: klips_error:ipsec_tunnel_start_xmit: > ip_send() failed, err=1 > Oct 30 10:36:48 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 > ID=13041 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 > > Looks to me like pings to see if the root servers are alive?Talking to myself again ;) A quick google turned up this: ----- Begin cut-n-paste ----- There was a question, what is:> Nov 16 14:30:33 tunnelwien kernel: > klips_error:ipsec_tunnel_start_xmit:ip_send( >) failed, err=-1I must assume that this is 2.4. It would appear it is because a NetFilter local output filter declined to forward the packet. I''d need a full barf to know more. ----- End cut-n-paste ----- Where do I go from here? --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --1b=.''0HVP7lLi5FJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wAwdrgrN227HZ+8RAmEAAKCiYH3Z5P64hDCNa1zU/i/KGyZLlwCfe1bH gZQQ6OBTrjSt/QFNAijp0CY=x6dU -----END PGP SIGNATURE----- --1b=.''0HVP7lLi5FJ--
Homer Parker wrote:> On Wed, 30 Oct 2002 06:21:35 -0800 Tom Eastep <teastep@shorewall.net> > wrote.... > > > >>To eliminate the above messages, you could simply add a static rule such >>as: >> >>ACCEPT fw vpn udp 53 >> >>Where ''vpn'' is the zone used for the remote client/network. > > > That fixed that error.... Brought in a whole slew of new ones ;) These > are from klips, so I''ll chase them through FreeS/WAN first ;) But, I did > come up with a couple I don''t remember seeing before: > > Oct 30 10:36:45 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 > ID=13040 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 > Oct 30 10:36:48 linux kernel: NET: 12 messages suppressed. > Oct 30 10:36:48 linux kernel: klips_error:ipsec_tunnel_start_xmit: > ip_send() failed, err=1 > Oct 30 10:36:48 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 > ID=13041 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 > > Looks to me like pings to see if the root servers are alive? >Those are echo replies which are normally allowed because they are related to a tracked echo request. Note that the source of these packets is your firewall and they are being sent on eth1 -- Is that your external interface? And is 128.63.2.52 the remote IPSEC gateway? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--=.TwRx7/U5Z5sQ(u Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 30 Oct 2002 08:49:09 -0800 Tom Eastep <teastep@shorewall.net> wrote....> > > Homer Parker wrote: > > On Wed, 30 Oct 2002 06:21:35 -0800 Tom Eastep <teastep@shorewall.net> > > wrote.... > > > > > > > >>To eliminate the above messages, you could simply add a static rule > >such>as: > >> > >>ACCEPT fw vpn udp 53 > >> > >>Where ''vpn'' is the zone used for the remote client/network. > > > > > > That fixed that error.... Brought in a whole slew of new ones ;) > > These > > are from klips, so I''ll chase them through FreeS/WAN first ;) But, I > > did come up with a couple I don''t remember seeing before: > > > > Oct 30 10:36:45 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 > > ID=13040 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 > > Oct 30 10:36:48 linux kernel: NET: 12 messages suppressed. > > Oct 30 10:36:48 linux kernel: klips_error:ipsec_tunnel_start_xmit: > > ip_send() failed, err=1 > > Oct 30 10:36:48 linux kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > > SRC=64.216.105.3 DST=128.63.2.52 LEN=52 TOS=0x00 PREC=0x00 TTL=255 > > ID=13041 PROTO=ICMP TYPE=0 CODE=0 ID=43520 SEQ=24 > > > > Looks to me like pings to see if the root servers are alive? > > > > Those are echo replies which are normally allowed because they are > related to a tracked echo request. Note that the source of these packets > is your firewall and they are being sent on eth1 -- Is that your > external interface? And is 128.63.2.52 the remote IPSEC gateway?eth1 is the external (PCMCIA wireless, takes a while to initialize)... 128.63.2.52 is h-root.skitter.caida.org, a root server for DNS... Opportunistic encryption is a tunnel on the fly.. If the other end supports it, we have an encrypted link, if not, plain old TCP/IP link... So, anything can be the other end of the link, and all destination points are tried... Also, I could go nowhere while I had ipsec running... See google find in next post for more info... --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --=.TwRx7/U5Z5sQ(u Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wA2wrgrN227HZ+8RAklEAKCZIXUMzhdfQFHSOIYWVOZFxvq42ACeJWCx L7RV4VE4qKkRS82pTVOC2M4=Fz7V -----END PGP SIGNATURE----- --=.TwRx7/U5Z5sQ(u--
Homer Parker wrote:> > eth1 is the external (PCMCIA wireless, takes a while to initialize)... > 128.63.2.52 is h-root.skitter.caida.org, a root server for DNS... > Opportunistic encryption is a tunnel on the fly.. If the other end > supports it, we have an encrypted link, if not, plain old TCP/IP link... > So, anything can be the other end of the link, and all destination points > are tried... Also, I could go nowhere while I had ipsec running... See > google find in next post for more info... > >Then the icmp packets you are seeing make no sense at all since it''s highly unlikely that a root name server is pinging you. I''m afraid I''m not going to be of any more help on this one. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Homer Parker wrote: > >> >> eth1 is the external (PCMCIA wireless, takes a while to >> initialize)... >> 128.63.2.52 is h-root.skitter.caida.org, a root server for DNS... >> Opportunistic encryption is a tunnel on the fly.. If the other end >> supports it, we have an encrypted link, if not, plain old TCP/IP link... >> So, anything can be the other end of the link, and all destination points >> are tried... Also, I could go nowhere while I had ipsec running... See >> google find in next post for more info... >> >> > > Then the icmp packets you are seeing make no sense at all since it''s > highly unlikely that a root name server is pinging you. I''m afraid I''m > not going to be of any more help on this one. >You can of course simply take the brute force approach and add this to your rules file: ACCEPT fw net icmp 0 Don''t know where that will lead though... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--=._enU5)x79fxFW( Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 30 Oct 2002 09:23:52 -0800 Tom Eastep <teastep@shorewall.net> wrote....> You can of course simply take the brute force approach and add this to > your rules file: > > ACCEPT fw net icmp 0 > > Don''t know where that will lead though...Here''s the page at FreeS/Wan that tells how to set up the firewall for an opportunistic gateway... I tried to implement this in shorewall, but... I must of missed something... Not getting the ICMP errors, but am getting the other error still, and no data transfer :( Can you convert these to shorewall rules for me? Thanks! http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/quickstart-firewall.html --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --=._enU5)x79fxFW( Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wOINrgrN227HZ+8RAitJAKDZuwgMUc5+JYkEiHDNpuVCiAYGSgCaA7gC nvB87DbLxu6DqcIqKaYbCCs=M5pV -----END PGP SIGNATURE----- --=._enU5)x79fxFW(--
Homer Parker wrote:> On Wed, 30 Oct 2002 09:23:52 -0800 Tom Eastep <teastep@shorewall.net> > wrote.... > > >>You can of course simply take the brute force approach and add this to >>your rules file: >> >>ACCEPT fw net icmp 0 >> >>Don''t know where that will lead though... > > > Here''s the page at FreeS/Wan that tells how to set up the firewall for an > opportunistic gateway... I tried to implement this in shorewall, but... I > must of missed something... Not getting the ICMP errors, but am getting > the other error still, and no data transfer :( Can you convert these to > shorewall rules for me? Thanks! >No I won''t, but I''ll tell you to add an ipsec tunnel entry in /etc/shorewall/tunnels -- that produces the same rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--=.''tYjZg_DAfrd() Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 31 Oct 2002 06:26:25 -0800 Tom Eastep <teastep@shorewall.net> wrote....> > No I won''t, but I''ll tell you to add an ipsec tunnel entry in > /etc/shorewall/tunnels -- that produces the same rules.This is what has been in there all along: ipsec net 0.0.0.0/0 Like I said, normal IPSec tunnels work fine, but the OE one''s don''t.. Everything I find on the net for that error says it''s the firewall :( --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --=.''tYjZg_DAfrd() Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wVEMrgrN227HZ+8RAjXOAKC8zQ8GaoGoXRLybh6mv5F2RaxyIgCfelzZ p8RHEwivu8SbUWcNSnK1JWY=wi+j -----END PGP SIGNATURE----- --=.''tYjZg_DAfrd()--
Homer Parker wrote:> On Thu, 31 Oct 2002 06:26:25 -0800 Tom Eastep <teastep@shorewall.net> > wrote.... > > > >>No I won''t, but I''ll tell you to add an ipsec tunnel entry in >>/etc/shorewall/tunnels -- that produces the same rules. > > > This is what has been in there all along: > > ipsec net 0.0.0.0/0 > > Like I said, normal IPSec tunnels work fine, but the OE one''s don''t.. > Everything I find on the net for that error says it''s the firewall :( >That seems to be a common problem -- if people can''t connect, it obviously has to be their firewall. Couldn''t be any of the other 100s of components in the network... To remove Shorewall from the equation: shorewall clear iptables -t nat -A POSTROUTING -s <your internal net> \ -o <your external interface> -j MASQUERADE Now test OE again. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--i3:/=.Uyef_4KaX4 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 31 Oct 2002 08:02:52 -0800 Tom Eastep <teastep@shorewall.net> wrote....> That seems to be a common problem -- if people can''t connect, it > obviously has to be their firewall. Couldn''t be any of the other 100s of > components in the network... > > To remove Shorewall from the equation: > > shorewall clear > iptables -t nat -A POSTROUTING -s <your internal net> \ > -o <your external interface> -j MASQUERADE > > Now test OE again.That got rid of all the errors in the log files... But, I could still not transfer any data, to an OE site or not.. Which is the same result I just got using the rules on their page... So, I guess I''m fighting multiple problems :( --- Homer Parker http://www.homershut.net telnet://bbs.homershut.net This e-mail message is 100% Microsoft free! WARNING: THIS ACCOUNT BELONGS TO A RABID ANTI-SPAMMER NET-NAZI DOT-COMMUNIST. /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ --i3:/=.Uyef_4KaX4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9wVhprgrN227HZ+8RApouAJ0QjQyDSjLfKFpPpcqV9V2tBbhUMwCghqWs w4CegR04WdyKd7ze77erR4o=18vd -----END PGP SIGNATURE----- --i3:/=.Uyef_4KaX4--
--On Thursday, October 31, 2002 10:20:54 AM -0600 Homer Parker >> That got rid of all the errors in the log files... But, I could still not > transfer any data, to an OE site or not.. Which is the same result I just > got using the rules on their page... So, I guess I''m fighting multiple > problems :( >If stopping Shorewall got rid of FreeS/Wan error messages and you aren''t seeing any Shorewall messages in your log then the affected packets must be being silently dropped or rejected -- Shorewall can do that in one of several places: a) common and icmpdef chains b) newnotsyn chain (if LOGNEWNOTSYN="" or if the log level isn''t routed by syslogd) c) blacklst chain d) man1918 and rfc1918 chains e) rules file f) a REJECT or DROP policy that doesn''t specify a log level or that specifies a log level that isn''t routed by syslogd -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net