Shorewall users - Feb 2003 - www over ipsec behind shorewal problem

This one is a bit complex so if no help is forthcoming, I understand.

I have 2 shorewall firewalls (1.3.13) up and running. (both machines running
Gentoo Linux 1.4_rc2) I have freeswan (1.98) running on each of them. I have
squid setup as a caching/filtering server on each of them. Each of them was
originally setup using the Two-interface Quick Start Guide. Then the Squid
guide and then the IPSEC guide.

192.168.0.0/24 -> firewall -> internet -> firewall -> 192.168.2.0/24
>From machines inside each network I can ping machines on the other network.
I can mount shares across the tunnel. The tunnel is up, solid and working.

HOWEVER, I cannot point a web browser from a machine on one network to a web
server on another network.

I think it may have something to do with squid but in checking the squid
logs, I do not see any rejects.

The strange thing is that I don''t see much of anything logged when I
try:

lynx http://192.168.2.11 from the 192.168.0.250 network.

no shorewall log entries at all on either server.

tcpdump -i ipsec0 on the 192.168.0.0 network shows outbound traffic but when
I run the same command on the 192.168.2.0 network, there is no incoming
traffic.

fw-nashville shorewall # tcpdump -i ipsec0
tcpdump: listening on ipsec0
11:34:09.483776 pcp02685404pcs.nash01.tn.comcast.net.4838 >
192.168.2.11.www: S 892215623:892215623(0) win 32440 <mss
16220,nop,nop,sackOK,nop,wscale 0> (DF)

Per the Squid setup guide on the shorewall website, I have:
REDIRECT        loc     3128            tcp     www
ACCEPT          fw      net             tcp     www

in my rules files on both servers.

My policies file on both servers has:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
#
# Local Policies
#
loc             net             ACCEPT
loc             vpn             ACCEPT
loc             fw              ACCEPT

#
# firewall policies
#
fw              net             ACCEPT
fw              loc             ACCEPT
fw              vpn             ACCEPT

#
# VPN policies
#
vpn             loc             ACCEPT
vpn             fw              ACCEPT

vpn             all             DROP            info
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

Anyone have ANY idea where I can start looking?

TIA,
=C



* Cal Evans
* Stay Plugged Into Your Audience
* http://www.christianperformer.com

Apologies to all. It was, of course, covered in the ample documentation. It
sunk in about the 3rd reading.

I forgot to add !192.168.2.0/24 to my squid REDIRECT in rules.

=C
* Cal Evans
* Stay Plugged Into Your Audience
* http://www.christianperformer.com

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Cal
Evans
Sent: Monday, February 24, 2003 11:59 AM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] www over ipsec behind shorewal problem


This one is a bit complex so if no help is forthcoming, I understand.

Cal Evans wrote:
> Apologies to all. It was, of course, covered in the ample documentation. It
> sunk in about the 3rd reading.
> 
> I forgot to add !192.168.2.0/24 to my squid REDIRECT in rules.
> 
Thanks for updating us Cal. It''s a good thing that you found a solution
since I had managed to totally overlook your post :-\

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net