Well, I went ahead and installed pptpd on my FW2 from yesterdays
discussion, i got a connection up and running, but it seem like my pptp
traffic doesn''t obey my rules. Here is the scenario.
Remote System == DSL == [NET]FW1[LOC] == [NWL]FW2[JVC] == Local System
[NET]FW1: 213.212.33.18/28
FW1[LOC]: 192.168.221.7/24
[NWL]FW2: 192.168.221.205/24
FW2[JVC]: 10.200.47.0/24
To this I have added PPTPd (config files at the end) when I connect to
the pptpd, the client is assigned 192.168.226.178, I can ping
10.200.47.0/24 as expected, but I can _also_ ping anything else, which
is not what I wanted. What have I missed here?
I have defined as this
ndc5-router-1:/etc/shorewall# less interfaces | grep -v ^#
nwl eth0 detect
jvc eth1 detect
vpn ppp0 detect
ndc5-router-1:/etc/shorewall# less zones | grep -v ^#
net Net Internet
loc Local Local networks
nwl NWL New Wave Network
jvc JVC JVC Network
dmz DMZ Demilitarized zone
vpn VPN VPN
ndc5-router-1:/etc/shorewall# less policy | grep -v ^#
$FW all ACCEPT
all all REJECT info
dc5-router-1:/etc/shorewall# less rules | grep -v ^#
ACCEPT nwl $FW tcp ssh
ACCEPT $FW nwl tcp www,domain,ssh
ACCEPT $FW nwl udp www,domain
ACCEPT all $FW icmp
ACCEPT $FW all icmp
ACCEPT jvc nwl:192.168.221.3 all
ACCEPT nwl jvc icmp
ACCEPT jvc nwl icmp
ACCEPT nwl $FW tcp 1723
ACCEPT nwl $FW 47 -
ndc5-router-1:/etc/shorewall# less /etc/pptpd.conf | grep -v ^#
speed 115200
option /etc/ppp/pptpd-options
debug
localip 192.168.226.205
remoteip 192.168.226.178-185
ndc5-router-1:/etc/shorewall# less /etc/ppp/pptpd-options | grep -v ^#
debug
name ndc5-router-1
domain nwl.se
auth
netmask 255.255.255.0
nodefaultroute
proxyarp
lock
ndc5-router-1:/etc/shorewall# shorewall status
Shorewall-1.4.4b Status at ndc5-router-1 - Fri Jul 25 14:14:30 CEST 2003
Counters reset Fri Jul 25 14:06:42 CEST 2003
Chain INPUT (policy DROP 2 packets, 478 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
727 74638 eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
107 10995 eth1_in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
24 3498 ppp_in all -- ppp+ * 0.0.0.0/0
0.0.0.0/0
24 3498 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
24 2304 ppp_fwd all -- ppp+ * 0.0.0.0/0
0.0.0.0/0
24 2304 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
512 73210 fw2nwl all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 fw2jvc all -- * eth1 0.0.0.0/0
0.0.0.0/0
24 2976 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (8 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
222 37972 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (3 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
225 30434 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
25 3852 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
20 9488 DROP all -- * * 0.0.0.0/0
192.168.221.255
0 0 DROP all -- * * 0.0.0.0/0
10.200.47.255
Chain dmz2fw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 nwl2jvc all -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
727 74638 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
727 74638 nwl2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 jvc2nwl all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
107 10995 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
107 10995 jvc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2all (6 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
10 1736 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2dmz (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2jvc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2nwl (1 references)
pkts bytes target prot opt in out source
destination
501 71408 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:80
1 66 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
10 1736 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
Chain jvc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
107 10995 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain jvc2nwl (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
192.168.221.3 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (16 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain nwl2fw (1 references)
pkts bytes target prot opt in out source
destination
600 46713 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
11 900 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
1 48 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
115 26977 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain nwl2jvc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp_fwd (1 references)
pkts bytes target prot opt in out source
destination
24 2304 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp_in (1 references)
pkts bytes target prot opt in out source
destination
24 3498 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
225 30434 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain vpn2fw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Jul 25 13:53:12 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42491 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=3328
Jul 25 13:53:13 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42494 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=3584
Jul 25 13:53:14 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42497 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=3840
Jul 25 13:53:15 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42500 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=4096
Jul 25 13:56:05 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42757 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=256
Jul 25 13:56:06 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42762 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=512
Jul 25 13:56:07 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42767 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=768
Jul 25 13:56:08 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42773 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=1024
Jul 25 13:58:25 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42939 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=1280
Jul 25 13:58:26 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42942 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=1536
Jul 25 13:58:27 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42945 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=1792
Jul 25 13:58:28 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=10.47.200.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42948 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=2048
Jul 25 13:59:17 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=192.168.226.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43058 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=256
Jul 25 13:59:18 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=192.168.226.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43069 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=512
Jul 25 13:59:19 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=192.168.226.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43093 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=768
Jul 25 13:59:20 all2all:REJECT:IN=ppp0 OUT=eth0 SRC=192.168.226.178
DST=10.47.200.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43113 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=1024
Jul 25 14:02:07 all2all:REJECT:IN=ppp0 OUT=eth1 SRC=192.168.226.178
DST=10.200.47.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43382 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=2304
Jul 25 14:02:08 all2all:REJECT:IN=ppp0 OUT=eth1 SRC=192.168.226.178
DST=10.200.47.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43385 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=2560
Jul 25 14:02:09 all2all:REJECT:IN=ppp0 OUT=eth1 SRC=192.168.226.178
DST=10.200.47.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43388 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=2816
Jul 25 14:02:10 all2all:REJECT:IN=ppp0 OUT=eth1 SRC=192.168.226.178
DST=10.200.47.200 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=43391 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=3072
NAT Table
Chain PREROUTING (policy ACCEPT 75313 packets, 13M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 3362 packets, 406K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 3301 packets, 403K bytes)
pkts bytes target prot opt in out source
destination
Mangle Table
Chain PREROUTING (policy ACCEPT 141K packets, 46M bytes)
pkts bytes target prot opt in out source
destination
935 97557 pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 111K packets, 17M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 29541 packets, 28M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 37184 packets, 5920K bytes)
pkts bytes target prot opt in out source
destination
573 103K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 69207 packets, 35M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
413 87496 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
492 34080 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 431611 ESTABLISHED src=192.168.221.207 dst=192.168.221.205
sport=3207 dport=22 src=192.168.221.205 dst=192.168.221.207 sport=22
dport=3207 [ASSURED] use=1
unknown 47 193 src=192.168.221.62 dst=192.168.221.205
src=192.168.221.205 dst=192.168.221.62 use=1
tcp 6 432000 ESTABLISHED src=192.168.221.207 dst=192.168.221.205
sport=1512 dport=22 src=192.168.221.205 dst=192.168.221.207 sport=22
dport=1512 [ASSURED] use=1
ndc5-router-1:/etc/shorewall#
Jan Johansson
2003-Jul-25 06:46 UTC
[SOLVED!!!] [Shorewall-users] PPTP-zone not obeying rules?
I am so sorry all, i am SO stupid, SO SO SO SO SO Stupid, I will repeatedly hit myself over the head with a surprisingly large herring. The computer I was testing it all from had (in addition to the dialup connection) a WLAN card... and that interface came up without me noticing, and snagged an IP on the local net. So of course it could ping both subnets. After disabling the WLAN, the setup worked as I expected. Tom, shorewall IS amazing.