thr3ads.net - Shorewall users - [Shorewall-users] freeswan ipsec

If this information is useful, please help other people find it:
Share via:

Noël Nachtegael

2003-Oct-29 02:03 UTC

[Shorewall-users] freeswan ipsec - shorewall

hi,

I try to run freeswan IPSEC (2.02) and Shorewall (1.4.4.b) on the same linux 
box (redhat 9.0). The linux box is connected to internet with a cable-modem 
(Alactel speed touch home).

When I start IPSEC alone, I can make  a connection with a outside roadwarrior 
(a XP system). All things are working (except ping time out response)

With Shorewall enabled, I can''t make the IPSEC connection.
with IPSEC enabled, I can connect anymore internet from my local net

I guess it''s a routing issue...Could somebody help me?

In my linux Shorewall config, I set
vpn	VPN	remote subnet		in /etc/shorewall/zones
vpn	 ipsec0 				in /etc/shorewall/interfaces
ipsec	 net	0.0.0.0/0	vpn		in /etc/shorewall/tunnels
loc	vpn	ACCEPT	-		in /etc/shorewall/policy
vpn	loc	ACCEPT	-

In my linux ipsec.conf: interfaces=%defaultroute

the output''s of route -n are:
80.200.17.1 is the outside dyn IP of my cable-modem
192.168.1.0/24 is the subnet on the linux side
I don''t now the origin of 169.254.0.0

no shorewall no ipsec:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0 ppp0

shorewall no ipsec:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0 ppp0

no shorewall ipsec:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         80.200.17.1     128.0.0.0       UG    0      0        0 ipsec0
128.0.0.0       80.200.17.1     128.0.0.0       UG    0      0        0 ipsec0
0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0 ppp0

shorewall ipsec:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         80.200.17.1     128.0.0.0       UG    0      0        0 ipsec0
128.0.0.0       80.200.17.1     128.0.0.0       UG    0      0        0 ipsec0
0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0 ppp0

Holger Brückner

2003-Oct-29 02:22 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

what are the logfiles saying ?!?

and half of your configuration won''t help much.
are you building a host-host, net-host, host-net or net-net tunnel ?!?


On Wed, 2003-10-29 at 11:03, No?l Nachtegael wrote:> hi,
> 
> I try to run freeswan IPSEC (2.02) and Shorewall (1.4.4.b) on the same
linux
> box (redhat 9.0). The linux box is connected to internet with a cable-modem
> (Alactel speed touch home).
> 
> When I start IPSEC alone, I can make  a connection with a outside
roadwarrior
> (a XP system). All things are working (except ping time out response)
> 
> With Shorewall enabled, I can''t make the IPSEC connection.
> with IPSEC enabled, I can connect anymore internet from my local net
> 
> I guess it''s a routing issue...Could somebody help me?
> 
> In my linux Shorewall config, I set
> vpn	VPN	remote subnet		in /etc/shorewall/zones
> vpn	 ipsec0 				in /etc/shorewall/interfaces
> ipsec	 net	0.0.0.0/0	vpn		in /etc/shorewall/tunnels
> loc	vpn	ACCEPT	-		in /etc/shorewall/policy
> vpn	loc	ACCEPT	-
> 
> In my linux ipsec.conf: interfaces=%defaultroute
> 
> the output''s of route -n are:
> 80.200.17.1 is the outside dyn IP of my cable-modem
> 192.168.1.0/24 is the subnet on the linux side
> I don''t now the origin of 169.254.0.0
> 
> no shorewall no ipsec:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ppp0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0
ppp0
> 
> shorewall no ipsec:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ppp0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0
ppp0
> 
> no shorewall ipsec:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ppp0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ipsec0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         80.200.17.1     128.0.0.0       UG    0      0        0
ipsec0
> 128.0.0.0       80.200.17.1     128.0.0.0       UG    0      0        0
ipsec0
> 0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0
ppp0
> 
> shorewall ipsec:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ppp0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ipsec0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         80.200.17.1     128.0.0.0       UG    0      0        0
ipsec0
> 128.0.0.0       80.200.17.1     128.0.0.0       UG    0      0        0
ipsec0
> 0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0
ppp0
> 
>  
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Noël Nachtegael

2003-Oct-29 02:45 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

this my ipsec.conf ... what more do you need?

version	2.0	# conforms to second version of ipsec.conf specification

# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file


# More elaborate and more varied sample configurations can be found
# in doc/examples.


# basic configuration

config setup
        interfaces=%defaultroute
	klipsdebug=none
        plutodebug=none
	uniqueids=yes

conn %default
        keyingtries=1
	compress=yes
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert

conn roadwarrior-net
	leftsubnet=192.168.1.0/24
	also=roadwarrior
 
conn roadwarrior
	right=%any
	left=chivas-hectordenis.dnsalias.org
	leftcert=chivas.hectordenis.net.pem
	leftnexthop=%defaultroute
	auto=add
	pfs=yes

Holger Brückner

2003-Oct-29 03:12 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

this is freeswan with x509 patch ?
them i''m missing some leftid/rightid lines

but anyway .. have a look at you log files while trying to build the
tunnel, when shorewall is on. then you will have pointers what might go
wrong.

you know that you should have the following in ipsec.conf to turn of
opportunistic keying (freeswan > 2.0):

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore



On Wed, 2003-10-29 at 11:45, No?l Nachtegael wrote:> this my ipsec.conf ... what more do you need?
> 
> version	2.0	# conforms to second version of ipsec.conf specification
> 
> # /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
> 
> 
> # More elaborate and more varied sample configurations can be found
> # in doc/examples.
> 
> 
> # basic configuration
> 
> config setup
>         interfaces=%defaultroute
> 	klipsdebug=none
>         plutodebug=none
> 	uniqueids=yes
> 
> conn %default
>         keyingtries=1
> 	compress=yes
> 	disablearrivalcheck=no
> 	authby=rsasig
> 	leftrsasigkey=%cert
> 	rightrsasigkey=%cert
> 
> conn roadwarrior-net
> 	leftsubnet=192.168.1.0/24
> 	also=roadwarrior
>  
> conn roadwarrior
> 	right=%any
> 	left=chivas-hectordenis.dnsalias.org
> 	leftcert=chivas.hectordenis.net.pem
> 	leftnexthop=%defaultroute
> 	auto=add
> 	pfs=yes
>  
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Noël Nachtegael

2003-Oct-29 05:17 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

hi,

thanks for your answers
yes it''s a x509 patched freeswan

I did nothing special in the configs and I followed 
http://www.natecarlson.com/linux/ipsec-x509.php and 
http://www.shorewall.net/IPSEC.htm


My only problem is that I can''t work with Shorewall and Freeswan
together.
if I do ''shorewall clear'' I can connect the xp and linux box
with x509
certificates.

my objective is to put in place a safe firewall on a linux box, giving 
internet access to the connected users on my behind local network and also, 
in the same time, giving a safe connection between my local net and 
roadwarriors.

When I only start ipsec (/etc/rc.d/init.d/ipsec start) on my linux box, 
without any connection, my shorewall seems inactive and I can''t connect
anymore internet from my local subnet or from my firewall.

did someone the same try?
is there a common ''stupid'' solution?
do I have to define the tunnel as an ''ipsecnat'' tunnel?

I read pages and pages on the net but I didn''t find a solution.

Holger Brückner

2003-Oct-29 05:59 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

you do not read what i write ;)

you have to turn off opportunistic encryption (it''s enabled by default)
with the rules i gave you.

you do know that from, the roadwarrior you cannot ping/connect to the
ipsec router without some routing tricks, only to the subnet behind it ?

and third time: LOOK AT THE LOGS, there must be something telling you
why it isn''t working

here is my ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none,
"all" for
lots.
        # klipsdebug=all
        # plutodebug=dns
        # interfaces="ipsec0=eth1"

conn %default
        authby=rsasig
        rightrsasigkey=%cert
        left=x.x.x.x
        leftnexthop=x.x.x.y
        leftsubnet=10.0.0.0/24
        leftcert=netlabsCert.pem
        leftid="/C=DE/ST=Germany/O=net-labs Systemhaus
GmbH/OU=CA/CN=vpn.net-labs.de/Email=info@net-labs.de"
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

conn fmg
        right=%any
        rightsubnet=10.10.0.0/24
        rightid="/C=DE/ST=Germany/O=net-labs Systemhaus
GmbH/OU=CA/CN=vpn.fmg.local/Email=info@net-labs.de"

conn vat
        right=%any
        rightsubnet=10.10.8.0/24
        rightid="/C=DE/ST=Germany/O=net-labs Systemhaus
GmbH/OU=CA/CN=vpn.vat.local/Email=info@net-labs.de"

conn lcr
        right=%any
        rightsubnet=10.10.4.0/24
        rightid="/C=DE/ST=Germany/O=net-labs Systemhaus
GmbH/OU=CA/CN=vpn.lcr.local/Email=info@net-labs.de"


On Wed, 2003-10-29 at 14:16, No?l Nachtegael wrote:> hi,
> 
> thanks for your answers
> yes it''s a x509 patched freeswan
> 
> I did nothing special in the configs and I followed 
> http://www.natecarlson.com/linux/ipsec-x509.php and 
> http://www.shorewall.net/IPSEC.htm
> 
> 
> My only problem is that I can''t work with Shorewall and Freeswan
together.
> if I do ''shorewall clear'' I can connect the xp and linux
box with x509
> certificates.
> 
> my objective is to put in place a safe firewall on a linux box, giving 
> internet access to the connected users on my behind local network and also,
> in the same time, giving a safe connection between my local net and 
> roadwarriors.
> 
> When I only start ipsec (/etc/rc.d/init.d/ipsec start) on my linux box, 
> without any connection, my shorewall seems inactive and I can''t
connect
> anymore internet from my local subnet or from my firewall.
> 
> did someone the same try?
> is there a common ''stupid'' solution?
> do I have to define the tunnel as an ''ipsecnat'' tunnel?
> 
> I read pages and pages on the net but I didn''t find a solution.
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Tom Eastep

2003-Oct-29 07:33 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 02:03, No?l Nachtegael wrote:
> 
> no shorewall ipsec:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ppp0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ipsec0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         80.200.17.1     128.0.0.0       UG    0      0        0
ipsec0
> 128.0.0.0       80.200.17.1     128.0.0.0       UG    0      0        0
ipsec0
The above two entries are absurd -- Taken together, they make your
default route go through the tunnel. You need to find out why they are
getting created before you go further.
> 0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0
ppp0
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Holger Brückner

2003-Oct-29 07:50 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 16:33, Tom Eastep wrote:> On Wed, 2003-10-29 at 02:03, No?l Nachtegael wrote:
> 
> > 
> > no shorewall ipsec:
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref   
Use Iface
> > 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0       
0 eth0
> > 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0       
0 ppp0
> > 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0       
0 ipsec0
> > 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0       
0 eth0
> > 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0       
0 eth0
> > 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0       
0 lo
> > 0.0.0.0         80.200.17.1     128.0.0.0       UG    0      0       
0 ipsec0
> > 128.0.0.0       80.200.17.1     128.0.0.0       UG    0      0       
0 ipsec0
> 
> The above two entries are absurd -- Taken together, they make your
> default route go through the tunnel. You need to find out why they are
> getting created before you go further.
tom, this is due to the new opportunic keying "feature" in freeswan
>
2.0. it''s enable by default and hast to be explicitly disabled by the
following rules in ipsec.conf:

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

maybe it''s worth adding this to shorewall documentation, since
it''s
quite hard to find the above information.

cya

Holger

Tom Eastep

2003-Oct-29 07:58 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 07:50, Holger Br?ckner wrote:
> 
> tom, this is due to the new opportunic keying "feature" in
freeswan >
> 2.0. it''s enable by default and hast to be explicitly disabled by
the
> following rules in ipsec.conf:
> 
> conn block
>         auto=ignore
> 
> conn private
>         auto=ignore
> 
> conn private-or-clear
>         auto=ignore
> 
> conn clear-or-private
>         auto=ignore
> 
> conn clear
>         auto=ignore
> 
> conn packetdefault
>         auto=ignore
> 
> maybe it''s worth adding this to shorewall documentation, since
it''s
> quite hard to find the above information.
Thanks, Holger. Please see if http://shorewall.conf/IPSEC.htm accurately
reflects what needs to be done.

Thanks!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Oct-29 08:00 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 07:58, Tom Eastep wrote:
> 
> Thanks, Holger. Please see if http://shorewall.conf/IPSEC.htm accurately
> reflects what needs to be done.
Duh -- that should be http://shorewall.net/IPSEC.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Noël Nachtegael

2003-Oct-29 09:37 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

after modification of the ipsec.conf settings (thanks to Helger) my new table 
is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0 ppp0

Shorewall and freeswan are now working together, in the /cat/log/secure I can 
see that the connection is established: 
Oct 29 18:21:54 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140 #2:
responding to Quick Mode
Oct 29 18:21:55 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140 #2:
IPsec SA established
but with shorewall enabled, I can''t go further (connecting my local
apache
server on the linux box for example) after clearing shorewall (shorewall 
clear) the connection is working again...


On Wednesday 29 October 2003 16:33, Tom Eastep wrote:> On Wed, 2003-10-29 at 02:03, No?l Nachtegael wrote:
> > no shorewall ipsec:
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref   
Use
> > Iface 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0
> >   0 eth0 80.200.17.1     0.0.0.0         255.255.255.255 UH    0     
0
> >      0 ppp0 80.200.17.1     0.0.0.0         255.255.255.255 UH    0
> > 0        0 ipsec0 192.168.1.0     0.0.0.0         255.255.255.0   U   
0
> >      0        0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U
> >  0      0        0 eth0 127.0.0.0       0.0.0.0         255.0.0.0     
U
> >     0      0        0 lo 0.0.0.0         80.200.17.1     128.0.0.0
> > UG    0      0        0 ipsec0 128.0.0.0       80.200.17.1    
128.0.0.0
> >      UG    0      0        0 ipsec0
>
> The above two entries are absurd -- Taken together, they make your
> default route go through the tunnel. You need to find out why they are
> getting created before you go further.
>
> > 0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0       
0
> > ppp0
>
> -Tom

Tom Eastep

2003-Oct-29 09:41 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 09:36, No?l Nachtegael wrote:> after modification of the ipsec.conf settings (thanks to Helger) my new
table
> is:
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ppp0
> 80.200.17.1     0.0.0.0         255.255.255.255 UH    0      0        0
ipsec0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         80.200.17.1     0.0.0.0         UG    0      0        0
ppp0
> 
> Shorewall and freeswan are now working together, in the /cat/log/secure I
can
> see that the connection is established: 
> Oct 29 18:21:54 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140 #2:
> responding to Quick Mode
> Oct 29 18:21:55 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140 #2:
> IPsec SA established
> but with shorewall enabled, I can''t go further (connecting my
local apache
> server on the linux box for example) after clearing shorewall (shorewall 
> clear) the connection is working again...
What does "shorewall show log" show after you do this?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Noël Nachtegael

2003-Oct-29 09:58 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

Shorewall-1.4.4b Log at chivas.hectordenis.net - Wed Oct 29 18:55:44 CET 2003

Counters reset Wed Oct 29 18:53:52 CET 2003

Oct 29 09:37:19 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=52618 DF PROTO=UDP 
SPT=34017 DPT=53 LEN=60 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:40:47 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33 
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=21832 DF PROTO=TCP SPT=2266 DPT=1433 
WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 29 09:40:50 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33 
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=22092 DF PROTO=TCP SPT=2266 DPT=1433 
WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 29 09:45:18 net2all:DROP:IN=ppp0 OUT= SRC=80.139.41.124 DST=80.200.17.33 
LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=47401 DF PROTO=TCP SPT=2786 DPT=27374 
WINDOW=65535 RES=0x00 SYN URGP=0 


On Wednesday 29 October 2003 18:40, Tom Eastep wrote:> On Wed, 2003-10-29 at 09:36, No?l Nachtegael wrote:
> > after modification of the ipsec.conf settings (thanks to Helger) my
new
> > table is:
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref   
Use
> > Iface 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0
> >   0 eth0 80.200.17.1     0.0.0.0         255.255.255.255 UH    0     
0
> >      0 ppp0 80.200.17.1     0.0.0.0         255.255.255.255 UH    0
> > 0        0 ipsec0 192.168.1.0     0.0.0.0         255.255.255.0   U   
0
> >      0        0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U
> >  0      0        0 eth0 127.0.0.0       0.0.0.0         255.0.0.0     
U
> >     0      0        0 lo 0.0.0.0         80.200.17.1     0.0.0.0
> > UG    0      0        0 ppp0
> >
> > Shorewall and freeswan are now working together, in the
/cat/log/secure I
> > can see that the connection is established:
> > Oct 29 18:21:54 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140
> > #2: responding to Quick Mode
> > Oct 29 18:21:55 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140
> > #2: IPsec SA established
> > but with shorewall enabled, I can''t go further (connecting my
local
> > apache server on the linux box for example) after clearing shorewall
> > (shorewall clear) the connection is working again...
>
> What does "shorewall show log" show after you do this?
>
> -Tom

Tom Eastep

2003-Oct-29 10:10 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 09:57, No?l Nachtegael wrote:> Shorewall-1.4.4b Log at chivas.hectordenis.net - Wed Oct 29 18:55:44 CET
2003
> 
> Counters reset Wed Oct 29 18:53:52 CET 2003
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:40:47 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11
DST=80.200.17.33
> LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=21832 DF PROTO=TCP SPT=2266 DPT=1433 
> WINDOW=65535 RES=0x00 SYN URGP=0 
> Oct 29 09:40:50 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11
DST=80.200.17.33
> LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=22092 DF PROTO=TCP SPT=2266 DPT=1433 
> WINDOW=65535 RES=0x00 SYN URGP=0 
> Oct 29 09:45:18 net2all:DROP:IN=ppp0 OUT= SRC=80.139.41.124
DST=80.200.17.33
> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=47401 DF PROTO=TCP SPT=2786 DPT=27374 
> WINDOW=65535 RES=0x00 SYN URGP=0 
Given that the last log message was produced at 09:45, that''s not
particularly helpful.

Please see http://shorewall.net/support.htm -- there are instructions
that begin with "This is important!" in bold red type; please follow
those instructions.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Noël Nachtegael

2003-Oct-29 10:24 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

[H [2JShorewall-1.4.4b Status at chivas.hectordenis.net - Wed Oct 29 19:20:53 
CET 2003

Counters reset Wed Oct 29 19:17:48 CET 2003

Chain INPUT (policy ACCEPT 89 packets, 8246 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain OUTPUT (policy ACCEPT 88 packets, 8400 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Oct 29 09:37:19 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=52618 DF PROTO=UDP 
SPT=34017 DPT=53 LEN=60 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=51 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
SPT=34019 DPT=53 LEN=48 
Oct 29 09:40:47 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33 
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=21832 DF PROTO=TCP SPT=2266 DPT=1433 
WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 29 09:40:50 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33 
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=22092 DF PROTO=TCP SPT=2266 DPT=1433 
WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 29 09:45:18 net2all:DROP:IN=ppp0 OUT= SRC=80.139.41.124 DST=80.200.17.33 
LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=47401 DF PROTO=TCP SPT=2786 DPT=27374 
WINDOW=65535 RES=0x00 SYN URGP=0 

NAT Table

Chain PREROUTING (policy ACCEPT 148 packets, 8397 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain POSTROUTING (policy ACCEPT 14 packets, 1076 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain OUTPUT (policy ACCEPT 14 packets, 1076 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Mangle Table

Chain PREROUTING (policy ACCEPT 589 packets, 58440 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain INPUT (policy ACCEPT 589 packets, 58440 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain OUTPUT (policy ACCEPT 538 packets, 51254 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain POSTROUTING (policy ACCEPT 732 packets, 66726 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

tcp      6 38 TIME_WAIT src=194.78.26.140 dst=192.168.1.250 sport=1204 
dport=80 src=192.168.1.250 dst=194.78.26.140 sport=80 dport=1204 [ASSURED] 
use=1 
unknown  50 519 src=194.78.26.140 dst=80.200.20.216 src=80.200.20.216 
dst=194.78.26.140 use=1 
udp      17 110 src=194.78.26.140 dst=80.200.20.216 sport=500 dport=500 
src=80.200.20.216 dst=194.78.26.140 sport=500 dport=500 [ASSURED] use=1 
tcp      6 431675 ESTABLISHED src=192.168.1.101 dst=192.168.1.250 sport=1056 
dport=139 src=192.168.1.250 dst=192.168.1.101 sport=139 dport=1056 [ASSURED] 
use=1 
udp      17 117 src=80.200.20.216 dst=195.238.2.22 sport=32809 dport=53 
src=195.238.2.22 dst=80.200.20.216 sport=53 dport=32809 [ASSURED] use=1 
tcp      6 8 CLOSE src=80.200.176.94 dst=80.200.20.216 sport=1890 dport=80 
src=80.200.20.216 dst=80.200.176.94 sport=80 dport=1890 [ASSURED] use=1 
udp      17 117 src=80.200.20.216 dst=195.238.2.21 sport=32809 dport=53 
src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32809 [ASSURED] use=1 
tcp      6 58 SYN_RECV src=80.200.176.94 dst=80.200.20.216 sport=2336 dport=80 
src=80.200.20.216 dst=80.200.176.94 sport=80 dport=2336 use=1 
udp      17 52 src=80.200.20.216 dst=195.238.2.21 sport=32808 dport=53 
src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32808 [ASSURED] use=1 
udp      17 158 src=80.200.20.216 dst=66.187.233.4 sport=123 dport=123 
src=66.187.233.4 dst=80.200.20.216 sport=123 dport=123 [ASSURED] use=1 
tcp      6 39 TIME_WAIT src=194.78.26.140 dst=192.168.1.250 sport=1205 
dport=80 src=192.168.1.250 dst=194.78.26.140 sport=80 dport=1205 [ASSURED] 
use=1 
udp      17 22 src=192.168.1.250 dst=192.168.1.255 sport=32809 dport=137 
[UNREPLIED] src=192.168.1.255 dst=192.168.1.250 sport=137 dport=32809 use=1 



On Wednesday 29 October 2003 18:40, Tom Eastep wrote:> On Wed, 2003-10-29 at 09:36, No?l Nachtegael wrote:
> > after modification of the ipsec.conf settings (thanks to Helger) my
new
> > table is:
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref   
Use
> > Iface 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0
> >   0 eth0 80.200.17.1     0.0.0.0         255.255.255.255 UH    0     
0
> >      0 ppp0 80.200.17.1     0.0.0.0         255.255.255.255 UH    0
> > 0        0 ipsec0 192.168.1.0     0.0.0.0         255.255.255.0   U   
0
> >      0        0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U
> >  0      0        0 eth0 127.0.0.0       0.0.0.0         255.0.0.0     
U
> >     0      0        0 lo 0.0.0.0         80.200.17.1     0.0.0.0
> > UG    0      0        0 ppp0
> >
> > Shorewall and freeswan are now working together, in the
/cat/log/secure I
> > can see that the connection is established:
> > Oct 29 18:21:54 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140
> > #2: responding to Quick Mode
> > Oct 29 18:21:55 chivas pluto[31048]: "roadwarrior-net"[1]
194.78.26.140
> > #2: IPsec SA established
> > but with shorewall enabled, I can''t go further (connecting my
local
> > apache server on the linux box for example) after clearing shorewall
> > (shorewall clear) the connection is working again...
>
> What does "shorewall show log" show after you do this?
>
> -Tom-------------- next part --------------
[H[2JShorewall-1.4.4b Status at chivas.hectordenis.net - Wed Oct 29 19:20:53 CET
2003

Counters reset Wed Oct 29 19:17:48 CET 2003

Chain INPUT (policy ACCEPT 89 packets, 8246 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 88 packets, 8400 bytes)
 pkts bytes target     prot opt in     out     source               destination

Oct 29 09:37:19 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=52618 DF PROTO=UDP SPT=34017 DPT=53 LEN=60
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:40:47 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=21832 DF PROTO=TCP SPT=2266 DPT=1433
WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 09:40:50 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=22092 DF PROTO=TCP SPT=2266 DPT=1433
WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 09:45:18 net2all:DROP:IN=ppp0 OUT= SRC=80.139.41.124 DST=80.200.17.33
LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=47401 DF PROTO=TCP SPT=2786 DPT=27374
WINDOW=65535 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 148 packets, 8397 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 14 packets, 1076 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 14 packets, 1076 bytes)
 pkts bytes target     prot opt in     out     source               destination

Mangle Table

Chain PREROUTING (policy ACCEPT 589 packets, 58440 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 589 packets, 58440 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 538 packets, 51254 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 732 packets, 66726 bytes)
 pkts bytes target     prot opt in     out     source               destination

tcp      6 38 TIME_WAIT src=194.78.26.140 dst=192.168.1.250 sport=1204 dport=80
src=192.168.1.250 dst=194.78.26.140 sport=80 dport=1204 [ASSURED] use=1
unknown  50 519 src=194.78.26.140 dst=80.200.20.216 src=80.200.20.216
dst=194.78.26.140 use=1
udp      17 110 src=194.78.26.140 dst=80.200.20.216 sport=500 dport=500
src=80.200.20.216 dst=194.78.26.140 sport=500 dport=500 [ASSURED] use=1
tcp      6 431675 ESTABLISHED src=192.168.1.101 dst=192.168.1.250 sport=1056
dport=139 src=192.168.1.250 dst=192.168.1.101 sport=139 dport=1056 [ASSURED]
use=1
udp      17 117 src=80.200.20.216 dst=195.238.2.22 sport=32809 dport=53
src=195.238.2.22 dst=80.200.20.216 sport=53 dport=32809 [ASSURED] use=1
tcp      6 8 CLOSE src=80.200.176.94 dst=80.200.20.216 sport=1890 dport=80
src=80.200.20.216 dst=80.200.176.94 sport=80 dport=1890 [ASSURED] use=1
udp      17 117 src=80.200.20.216 dst=195.238.2.21 sport=32809 dport=53
src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32809 [ASSURED] use=1
tcp      6 58 SYN_RECV src=80.200.176.94 dst=80.200.20.216 sport=2336 dport=80
src=80.200.20.216 dst=80.200.176.94 sport=80 dport=2336 use=1
udp      17 52 src=80.200.20.216 dst=195.238.2.21 sport=32808 dport=53
src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32808 [ASSURED] use=1
udp      17 158 src=80.200.20.216 dst=66.187.233.4 sport=123 dport=123
src=66.187.233.4 dst=80.200.20.216 sport=123 dport=123 [ASSURED] use=1
tcp      6 39 TIME_WAIT src=194.78.26.140 dst=192.168.1.250 sport=1205 dport=80
src=192.168.1.250 dst=194.78.26.140 sport=80 dport=1205 [ASSURED] use=1
udp      17 22 src=192.168.1.250 dst=192.168.1.255 sport=32809 dport=137
[UNREPLIED] src=192.168.1.255 dst=192.168.1.250 sport=137 dport=32809 use=1

Tom Eastep

2003-Oct-29 10:32 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 10:23, No?l Nachtegael wrote:>  [H [2JShorewall-1.4.4b Status at chivas.hectordenis.net - Wed Oct 29
19:20:53
> CET 2003
> 
> Counters reset Wed Oct 29 19:17:48 CET 2003
> 
> Chain INPUT (policy ACCEPT 89 packets, 8246 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain OUTPUT (policy ACCEPT 88 packets, 8400 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Oct 29 09:37:19 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=52618 DF PROTO=UDP 
> SPT=34017 DPT=53 LEN=60 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=51 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.21 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 
> DST=195.238.2.22 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP 
> SPT=34019 DPT=53 LEN=48 
> Oct 29 09:40:47 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11
DST=80.200.17.33
> LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=21832 DF PROTO=TCP SPT=2266 DPT=1433 
> WINDOW=65535 RES=0x00 SYN URGP=0 
> Oct 29 09:40:50 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11
DST=80.200.17.33
> LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=22092 DF PROTO=TCP SPT=2266 DPT=1433 
> WINDOW=65535 RES=0x00 SYN URGP=0 
> Oct 29 09:45:18 net2all:DROP:IN=ppp0 OUT= SRC=80.139.41.124
DST=80.200.17.33
> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=47401 DF PROTO=TCP SPT=2786 DPT=27374 
> WINDOW=65535 RES=0x00 SYN URGP=0 
> 
> NAT Table
> 
> Chain PREROUTING (policy ACCEPT 148 packets, 8397 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain POSTROUTING (policy ACCEPT 14 packets, 1076 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain OUTPUT (policy ACCEPT 14 packets, 1076 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Mangle Table
> 
> Chain PREROUTING (policy ACCEPT 589 packets, 58440 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain INPUT (policy ACCEPT 589 packets, 58440 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain OUTPUT (policy ACCEPT 538 packets, 51254 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> Chain POSTROUTING (policy ACCEPT 732 packets, 66726 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination         
> 
> tcp      6 38 TIME_WAIT src=194.78.26.140 dst=192.168.1.250 sport=1204 
> dport=80 src=192.168.1.250 dst=194.78.26.140 sport=80 dport=1204 [ASSURED] 
> use=1 
> unknown  50 519 src=194.78.26.140 dst=80.200.20.216 src=80.200.20.216 
> dst=194.78.26.140 use=1 
> udp      17 110 src=194.78.26.140 dst=80.200.20.216 sport=500 dport=500 
> src=80.200.20.216 dst=194.78.26.140 sport=500 dport=500 [ASSURED] use=1 
> tcp      6 431675 ESTABLISHED src=192.168.1.101 dst=192.168.1.250
sport=1056
> dport=139 src=192.168.1.250 dst=192.168.1.101 sport=139 dport=1056
[ASSURED]
> use=1 
> udp      17 117 src=80.200.20.216 dst=195.238.2.22 sport=32809 dport=53 
> src=195.238.2.22 dst=80.200.20.216 sport=53 dport=32809 [ASSURED] use=1 
> tcp      6 8 CLOSE src=80.200.176.94 dst=80.200.20.216 sport=1890 dport=80 
> src=80.200.20.216 dst=80.200.176.94 sport=80 dport=1890 [ASSURED] use=1 
> udp      17 117 src=80.200.20.216 dst=195.238.2.21 sport=32809 dport=53 
> src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32809 [ASSURED] use=1 
> tcp      6 58 SYN_RECV src=80.200.176.94 dst=80.200.20.216 sport=2336
dport=80
> src=80.200.20.216 dst=80.200.176.94 sport=80 dport=2336 use=1 
> udp      17 52 src=80.200.20.216 dst=195.238.2.21 sport=32808 dport=53 
> src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32808 [ASSURED] use=1 
> udp      17 158 src=80.200.20.216 dst=66.187.233.4 sport=123 dport=123 
> src=66.187.233.4 dst=80.200.20.216 sport=123 dport=123 [ASSURED] use=1 
> tcp      6 39 TIME_WAIT src=194.78.26.140 dst=192.168.1.250 sport=1205 
> dport=80 src=192.168.1.250 dst=194.78.26.140 sport=80 dport=1205 [ASSURED] 
> use=1 
> udp      17 22 src=192.168.1.250 dst=192.168.1.255 sport=32809 dport=137 
> [UNREPLIED] src=192.168.1.255 dst=192.168.1.250 sport=137 dport=32809 use=1
> 
Shorewall isn''t running!

Please:

a) shorewall start
b) Try one of the connections that doesn''t work with Shorewall running.
c) shorewall status > /tmp/trace

Post the /tmp/trace AS A TEXT ATTACHMENT!!!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Noël Nachtegael

2003-Oct-29 10:40 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

attached the /tm/trace file
-------------- next part --------------
[H[2JShorewall-1.4.4b Status at chivas.hectordenis.net - Wed Oct 29 19:38:39 CET
2003

Counters reset Wed Oct 29 19:32:43 CET 2003

Chain INPUT (policy DROP 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   118 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
  484  405K ppp0_in    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
  190 15273 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   24  1368 ipsec0_in  all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 7 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ipsec0_fwd  all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 7 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   118 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
  393 28646 fw2net     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
  189 15048 fw2loc     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
   17  1520 fw2vpn     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 7 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   24  1368 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
   24  1368 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 7 prefix `Shorewall:all2all:REJECT:''
   24  1368 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
   19  1116 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 loc2vpn    all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
  190 15273 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
  190 15273 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    44 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp spt:110
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  188 15004 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp spt:137 dpts:1024:65535
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
  375 27557 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    3   189 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
   15   900 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination
   17  1520 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ipsec0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 vpn2loc    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain ipsec0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   24  1368 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   24  1368 vpn2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:10000
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:20000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:10000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:20000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  189 15233 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp spt:137 dpts:1024:65535
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   15   708 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15   708 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 7 prefix `Shorewall:net2all:DROP:''
   15   708 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
  464  403K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    1    40 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    3   336 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    1   244 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
   15   708 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (11 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0

Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
  484  405K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
  484  405K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination
    6   288 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
   18  1080 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain vpn2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
   24  1368 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain vpn2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Oct 29 09:37:19 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=52618 DF PROTO=UDP SPT=34017 DPT=53 LEN=60
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=51
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.21
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:37:33 all2all:REJECT:IN= OUT=ipsec0 SRC=80.200.17.33 DST=195.238.2.22
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=54016 DF PROTO=UDP SPT=34019 DPT=53 LEN=48
Oct 29 09:40:47 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=21832 DF PROTO=TCP SPT=2266 DPT=1433
WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 09:40:50 net2all:DROP:IN=ppp0 OUT= SRC=194.149.145.11 DST=80.200.17.33
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=22092 DF PROTO=TCP SPT=2266 DPT=1433
WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 09:45:18 net2all:DROP:IN=ppp0 OUT= SRC=80.139.41.124 DST=80.200.17.33
LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=47401 DF PROTO=TCP SPT=2786 DPT=27374
WINDOW=65535 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 280 packets, 16679 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 109 packets, 7135 bytes)
 pkts bytes target     prot opt in     out     source               destination
   18  1089 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 109 packets, 7135 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.1.0/24       0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       169.254.0.0/16       0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 3556 packets, 2404K bytes)
 pkts bytes target     prot opt in     out     source               destination
  708  422K pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 3556 packets, 2404K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3049 packets, 244K bytes)
 pkts bytes target     prot opt in     out     source               destination
  607 45800 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 3793 packets, 303K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

udp      17 26 src=192.168.1.250 dst=192.168.1.255 sport=32819 dport=137
[UNREPLIED] src=192.168.1.255 dst=192.168.1.250 sport=137 dport=32819 use=1
unknown  50 551 src=194.78.26.156 dst=80.200.20.216 src=80.200.20.216
dst=194.78.26.156 use=1
tcp      6 431689 ESTABLISHED src=192.168.1.101 dst=192.168.1.250 sport=1056
dport=139 src=192.168.1.250 dst=192.168.1.101 sport=139 dport=1056 [ASSURED]
use=1
udp      17 107 src=80.200.20.216 dst=195.238.2.21 sport=32819 dport=53
src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32819 [ASSURED] use=1
udp      17 166 src=194.78.26.156 dst=80.200.20.216 sport=500 dport=500
src=80.200.20.216 dst=194.78.26.156 sport=500 dport=500 [ASSURED] use=1
tcp      6 48 TIME_WAIT src=80.200.20.216 dst=209.69.32.139 sport=32957 dport=80
src=209.69.32.139 dst=80.200.20.216 sport=80 dport=32957 [ASSURED] use=1
udp      17 129 src=80.200.20.216 dst=66.187.233.4 sport=123 dport=123
src=66.187.233.4 dst=80.200.20.216 sport=123 dport=123 [ASSURED] use=1
unknown  50 237 src=194.78.26.160 dst=80.200.20.216 src=80.200.20.216
dst=194.78.26.160 use=1

Tom Eastep

2003-Oct-29 10:49 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 10:39, No?l Nachtegael wrote:> attached the /tm/trace file
Given that you have set all of the log levels to DEBUG (7), you aren''t
getting any log messages to help you (or us) determine what the problem
is. If you are logging DEBUG messages to some file, it would be nice if
you pointed the LOGFILE option in shorewall.conf to that file.

It looks like you are trying to access some service on your firewall
from a host in the ''vpn'' network. Since the effective policy
for vpn->fw
is REJECT (all2all), all of that traffic is being rejected.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Noël Nachtegael

2003-Oct-29 11:09 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

it''s now working !!!!

I simply add 2 policy rules

vpn	$FW	ACCEPT	info
$FW	vpn	ACCEPT	info



On Wednesday 29 October 2003 19:49, Tom Eastep wrote:> On Wed, 2003-10-29 at 10:39, No?l Nachtegael wrote:
> > attached the /tm/trace file
>
> Given that you have set all of the log levels to DEBUG (7), you
aren''t
> getting any log messages to help you (or us) determine what the problem
> is. If you are logging DEBUG messages to some file, it would be nice if
> you pointed the LOGFILE option in shorewall.conf to that file.
>
> It looks like you are trying to access some service on your firewall
> from a host in the ''vpn'' network. Since the effective
policy for vpn->fw
> is REJECT (all2all), all of that traffic is being rejected.
>
> -Tom-------------- next part --------------
[H[2JShorewall-1.4.4b Status at chivas.hectordenis.net - Wed Oct 29 20:05:14 CET
2003

Counters reset Wed Oct 29 20:02:49 CET 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  481 40692 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
   80 13040 ppp0_in    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
   73  5644 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   52  4039 ipsec0_in  all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ipsec0_fwd  all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 2 packets, 156 bytes)
 pkts bytes target     prot opt in     out     source               destination
  481 40692 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
   62 11506 fw2net     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
   77  5756 fw2loc     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
   50  4327 fw2vpn     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 loc2vpn    all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   73  5644 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   73  5644 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp spt:110
    5   140 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
   72  5616 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp spt:137 dpts:1024:65535
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
   61 11429 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    1    77 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:fw2net:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination
   50  4327 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:fw2vpn:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ipsec0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 vpn2loc    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain ipsec0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   52  4039 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   52  4039 vpn2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:10000
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:20000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:10000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:20000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    1    28 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
   72  5616 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:137:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:137
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp spt:137 dpts:1024:65535
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:loc2net:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:loc2vpn:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   16   784 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
   16   784 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
   16   784 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
   59 11636 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    1    40 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    3   336 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    1   244 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
   16   784 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (11 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0

Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   80 13040 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
   80 13040 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain vpn2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12  1675 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:500 dpt:500 state NEW
   40  2364 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:vpn2fw:ACCEPT:''
   40  2364 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain vpn2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:vpn2loc:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Oct 29 20:05:06 net2all:DROP:IN=ppp0 OUT= SRC=80.15.10.73 DST=80.200.20.216
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=591 DF PROTO=TCP SPT=2596 DPT=4662
WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 20:05:07 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3494 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=10240
Oct 29 20:05:08 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3496 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=10496
Oct 29 20:05:09 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3498 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=10752
Oct 29 20:05:09 net2all:DROP:IN=ppp0 OUT= SRC=80.15.10.73 DST=80.200.20.216
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=849 DF PROTO=TCP SPT=2596 DPT=4662
WINDOW=65535 RES=0x00 SYN URGP=0
Oct 29 20:05:10 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3500 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=11008
Oct 29 20:05:11 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3502 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=11264
Oct 29 20:05:12 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3504 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=11520
Oct 29 20:05:13 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3506 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=11776
Oct 29 20:05:14 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3508 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=12032
Oct 29 20:05:15 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3510 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=12288
Oct 29 20:05:16 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3512 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=12544
Oct 29 20:05:17 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3514 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=12800
Oct 29 20:05:18 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3518 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=13056
Oct 29 20:05:19 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3522 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=13312
Oct 29 20:05:20 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3524 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=13568
Oct 29 20:05:21 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3526 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=13824
Oct 29 20:05:22 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3528 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=14080
Oct 29 20:05:23 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3530 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=14336
Oct 29 20:05:24 vpn2fw:ACCEPT:IN=ipsec0 OUT= SRC=194.78.26.157 DST=192.168.1.250
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3532 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=14592

NAT Table

Chain PREROUTING (policy ACCEPT 437 packets, 25553 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 301 packets, 19292 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    77 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 301 packets, 19292 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.1.0/24       0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       169.254.0.0/16       0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 21851 packets, 9330K bytes)
 pkts bytes target     prot opt in     out     source               destination
  713 65679 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 21851 packets, 9330K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 19994 packets, 1643K bytes)
 pkts bytes target     prot opt in     out     source               destination
  697 64545 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 21557 packets, 1766K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

udp      17 6 src=127.0.0.1 dst=127.0.0.1 sport=32847 dport=512 [UNREPLIED]
src=127.0.0.1 dst=127.0.0.1 sport=512 dport=32847 use=1
tcp      6 96 TIME_WAIT src=194.78.26.157 dst=192.168.1.250 sport=1234 dport=80
src=192.168.1.250 dst=194.78.26.157 sport=80 dport=1234 [ASSURED] use=1
udp      17 68 src=80.200.20.216 dst=195.238.2.21 sport=32847 dport=53
src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32847 [ASSURED] use=1
unknown  50 599 src=194.78.26.157 dst=80.200.20.216 src=80.200.20.216
dst=194.78.26.157 use=1
udp      17 30 src=80.200.20.216 dst=195.238.2.21 sport=32846 dport=53
src=195.238.2.21 dst=80.200.20.216 sport=53 dport=32846 [ASSURED] use=1
udp      17 129 src=194.78.26.157 dst=80.200.20.216 sport=500 dport=500
src=80.200.20.216 dst=194.78.26.157 sport=500 dport=500 [ASSURED] use=1
tcp      6 93 TIME_WAIT src=194.78.26.157 dst=192.168.1.250 sport=1232 dport=80
src=192.168.1.250 dst=194.78.26.157 sport=80 dport=1232 [ASSURED] use=1
udp      17 0 src=192.168.1.250 dst=192.168.1.255 sport=32847 dport=137
[UNREPLIED] src=192.168.1.255 dst=192.168.1.250 sport=137 dport=32847 use=1
udp      17 152 src=80.200.20.216 dst=66.187.233.4 sport=123 dport=123
src=66.187.233.4 dst=80.200.20.216 sport=123 dport=123 [ASSURED] use=1
udp      17 23 src=192.168.1.250 dst=192.168.1.255 sport=32848 dport=137
[UNREPLIED] src=192.168.1.255 dst=192.168.1.250 sport=137 dport=32848 use=1
tcp      6 96 TIME_WAIT src=194.78.26.157 dst=192.168.1.250 sport=1233 dport=80
src=192.168.1.250 dst=194.78.26.157 sport=80 dport=1233 [ASSURED] use=1
-------------- next part --------------
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
#	This file determines what to do with a new connection request if we
#	don''t get a match from the /etc/shorewall/rules file or from the
#	/etc/shorewall/common[.def] file. For each source/destination pair, the
#	file is processed in order until a match is found ("all" will match
#	any client or server).
#
# Columns are:
#
#	SOURCE		Source zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all".
#
#	DEST		Destination zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all"
#
#	POLICY		Policy if no match from the rules file is found. Must
#			be "ACCEPT", "DROP", "REJECT" or
"CONTINUE"
#
#	LOG LEVEL	If supplied, each connection handled under the default
#			POLICY is logged at that level. If not supplied, no
#			log message is generated. See syslog.conf(5) for a
#			description of log levels.
#
#			If you don''t want to log but need to specify the
#			following column, place "_" here.
#
#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
#			and the size of an acceptable burst. If not specified,
#			TCP connections are not limited.
#
#	As shipped, the default policies are:
#
#	a) All connections from the local network to the internet are allowed
#	b) All connections from the internet are ignored but logged at syslog
#	   level KERNEL.INFO.
#	d) All other connection requests are rejected and logged at level
#	   KERNEL.INFO.
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc	net	ACCEPT	info
#
# If you want open access to the internet from your firewall, uncomment the
# following line
fw	net	ACCEPT	info
loc	vpn	ACCEPT	info
vpn	loc	ACCEPT	info
vpn	$FW	ACCEPT	info
$FW	vpn	ACCEPT	info
net	all	DROP	info
all	all	REJECT	info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

Tom Eastep

2003-Oct-29 11:12 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 11:08, No?l Nachtegael wrote:> it''s now working !!!!
> 
> I simply add 2 policy rules
> 
> vpn	$FW	ACCEPT	info
> $FW	vpn	ACCEPT	info
> 
Good -- you may not want to log ACCEPTed connections but that''s your
choice.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Noël Nachtegael

2003-Oct-29 13:28 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

for the others, here are my adapted files working on the linux box

and the ipsec.conf.xp on the xp roadwarrior side
-------------- next part --------------
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
#	You must add an entry in this file for each network interface on your
#	firewall system.
#
# Columns are:
#
#	ZONE		Zone for this interface. Must match the short name
#			of a zone defined in /etc/shorewall/zones.
#
#			If the interface serves multiple zones that will be
#			defined in the /etc/shorewall/hosts file, you should
#			place "-" in this column.
#	
#	INTERFACE	Name of interface. Each interface may be listed only
#			once in this file.
#
#	BROADCAST	The broadcast address for the subnetwork to which the
#			interface belongs. For P-T-P interfaces, this
#			column is left black.If the interface has multiple
#			addresses on multiple subnets then list the broadcast
#			addresses as a comma-separated list.
#					    
#			If you use the special value "detect", the firewall
#			will detect the broadcast address for you. If you
#			select this option, the interface must be up before
#			the firewall is started, you must have iproute
#			installed and the interface must only be associated
#			with a single subnet.
#			
#			If you don''t want to give a value for this column but
#			you want to enter a value in the OPTIONS column, enter
#			"-" in this column.
#
#	OPTIONS		A comma-separated list of options including the
#			following:
#
#			dhcp	     - interface is managed by DHCP or used by
#                                      a DHCP server running on the firewall or
#				       you have a static IP but are on a LAN
#				       segment with lots of Laptop DHCP clients.
#			noping	     - icmp echo-request (ping) packets
#				       addressed to the firewall should
#				       be ignored on this interface
#			filterping   - icmp echo-request (ping) packets 
#				       addressed to the firewall should
#				       be controlled by the rules file and
#				       applicable policy. If neither ''noping''
#				       nor ''filterping'' are specified then
#				       the firewall will respond to ''ping''
#				       requests. ''filterping'' takes 
#				       precedence over ''noping'' if both are
#				       given.
#			routestopped - (Deprecated -- use 
#				       /etc/shorewall/routestopped)
#				       When the firewall is stopped, allow
#				       and route traffic to and from this
#				       interface.
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses. If packet mangling is
#				       enabled in shorewall.conf, packets
#				       whose destination addresses are
#				       reserved by RFC 1918 are also rejected.
#			multi	     - This interface has multiple IP
#				       addresses and you want to be able to
#				       route between them.
#			routefilter  - turn on kernel route filtering for this
#				       interface (anti-spoofing measure). This
#                                      option can also be enabled globally in
#				       the /etc/shorewall/shorewall.conf file.
#			dropunclean  - Logs and drops mangled/invalid packets
#
#			logunclean   - Logs mangled/invalid packets but does
#				       not drop them.
#	.	.	blacklist    - Check packets arriving on this interface
#				       against the /etc/shorewall/blacklist
#				       file.
#			proxyarp     - 
#				Sets 
#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
#				Do NOT use this option if you are
#				employing Proxy ARP through entries in
#				/etc/shorewall/proxyarp. This option is
#				intended soley for use with Proxy ARP
#				sub-networking as described at:
#				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#			
#			The order in which you list the options is not
#			significant but the list should have no embedded white
#			space.
#
#	Example 1:	Suppose you have eth0 connected to a DSL modem and
#			eth1 connected to your local network and that your
#			local subnet is 192.168.1.0/24. The interface gets
#			it''s IP address via DHCP from subnet
#			206.191.149.192/27 and you want pings from the internet
#			to be ignored. You interface a DMZ with subnet
#			192.168.2.0/24 using eth2. You want to be able to
#			access the firewall from the local network when the
#			firewall is stopped.
#
#			Your entries for this setup would look like:
#
#			net	eth0	206.191.149.223	noping,dhcp
#			local	eth1	192.168.1.255	routestopped
#			dmz	eth2	192.168.2.255
#
#	Example 2:	The same configuration without specifying broadcast
#			addresses is:
#
#			net	eth0	detect		noping,dhcp
#			loc	eth1	detect		routestopped
#			dmz	eth2	detect
#
#	Example 3:	You have a simple dial-in system with no ethernet
#			connections and you want to ignore ping requests.
#
#			net	ppp0	-		noping
##############################################################################
#ZONE	 INTERFACE	BROADCAST	OPTIONS
net	ppp0	-	dhcp	
loc	eth0	-	
vpn	ipsec0	-			
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
#	This file determines what to do with a new connection request if we
#	don''t get a match from the /etc/shorewall/rules file or from the
#	/etc/shorewall/common[.def] file. For each source/destination pair, the
#	file is processed in order until a match is found ("all" will match
#	any client or server).
#
# Columns are:
#
#	SOURCE		Source zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all".
#
#	DEST		Destination zone. Must be the name of a zone defined
#			in /etc/shorewall/zones, $FW or "all"
#
#	POLICY		Policy if no match from the rules file is found. Must
#			be "ACCEPT", "DROP", "REJECT" or
"CONTINUE"
#
#	LOG LEVEL	If supplied, each connection handled under the default
#			POLICY is logged at that level. If not supplied, no
#			log message is generated. See syslog.conf(5) for a
#			description of log levels.
#
#			If you don''t want to log but need to specify the
#			following column, place "_" here.
#
#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
#			and the size of an acceptable burst. If not specified,
#			TCP connections are not limited.
#
#	As shipped, the default policies are:
#
#	a) All connections from the local network to the internet are allowed
#	b) All connections from the internet are ignored but logged at syslog
#	   level KERNEL.INFO.
#	d) All other connection requests are rejected and logged at level
#	   KERNEL.INFO.
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc	net	ACCEPT	info
#
# If you want open access to the internet from your firewall, uncomment the
# following line
fw	net	ACCEPT	info
loc	vpn	ACCEPT	info
vpn	loc	ACCEPT	info
vpn	$FW	ACCEPT	info
$FW	vpn	ACCEPT	info
net	all	DROP	info
all	all	REJECT	info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
-------------- next part --------------
#
# Shorewall 1.4 - /etc/shorewall/tunnels
#
#	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
#	IPIP, GRE and OPENVPN tunnels must be configured on the
#	firewall/gateway itself. IPSEC endpoints may be defined
#	on the firewall/gateway or on an internal system.
#
#	The columns are:
#
#	TYPE	    --	must start in column 1 and be "ipsec",
"ipsecnat","ip"
#			"gre", "pptpclient", "pptpserver" or
"openvpn".
#
#			If type is "openvpn", it may optionally be followed
#			by ":" and the port number used by the tunnel. if no
#			":" and port number are included, then the default port
#			of 5000 will be used
#
#	ZONE	    --	The zone of the physical interface through which
#			tunnel traffic passes. This is normally your internet
#			zone.
#
#	GATEWAY	    --	The IP address of the remote tunnel gateway. If the
#			remote getway has no fixed address (Road Warrior)
#			then specify the gateway as 0.0.0.0/0.
#
#	GATEWAY
#	ZONES --	Optional. If the gateway system specified in the third
#			column is a standalone host then this column should
#			contain a comma-separated list of the names of the
#			zones that the host might be in. This column only
#			applies to IPSEC tunnels.
#
#		Example 1:
#
#			IPSec tunnel. The remote gateway is 4.33.99.124 and
#			the remote subnet is 192.168.9.0/24
#
#			ipsec	net	4.33.99.124
#
#		Example 2:
#
#			Road Warrior (LapTop that may connect from anywhere)
#			where the "gw" zone is used to represent the remote
#			LapTop.
#
#			ipsec	net	0.0.0.0/0	gw
#
#		Example 3:
#
#			Host 4.33.99.124 is a standalone system connected
#			via an ipsec tunnel to the firewall system. The host
#			is in zone gw.
#
#			ipsec	net	4.33.99.124	gw
#
#		Example 4:
#
#			Road Warriors that may belong to zones vpn1, vpn2 or
#			vpn3. The FreeS/Wan _updown script will add the
#			host to the appropriate zone using the "shorewall add"
#			command on connect and will remove the host from the
#			zone at disconnect time.
#
#			ipsec	net	0.0.0.0/0	vpn1,vpn2,vpn3
#
#		Example 5:
#
#			You run the Linux PPTP client on your firewall and
#			connect to server 192.0.2.221.
#
#			pptpclient	net	192.0.2.221
#
#		Example 6:
#
#			You run a PPTP server on your firewall.
#
#			pptpserver	net
#
#		Example 7:
#
#			OPENVPN tunnel. The remote gateway is 4.33.99.124 and
#			openvpn uses port 7777.
#
#			openvpn:7777	net	4.33.99.124
#
# TYPE			ZONE	GATEWAY		GATEWAY ZONE	PORT
ipsec			net	0.0.0.0/0	vpn
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
version	2.0	# conforms to second version of ipsec.conf specification

# /etc/ipsec.conf - FreeS/WAN IPSEC configuration file


# More elaborate and more varied sample configurations can be found
# in doc/examples.


# basic configuration

config setup
        #interfaces=%defaultroute
	#klipsdebug=none
        #plutodebug=none
	#uniqueids=yes

conn %default
    	authby=rsasig
	rightrsasigkey=%cert
	left=(dns name in dynip)
	leftnexthop=%defaultroute
	leftcert=chivas.hectordenis.net.pem
	leftid="/C=BE/ST=Hainaut/L=Braine-le-Comte/O=N Consulting/CN=serveur
chivas/EmailAddress=noel.nachtegael@skynet.be"
	auto=add
	
	leftrsasigkey=%cert
	keyingtries=1
	compress=yes
	disablearrivalcheck=no

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore


conn roadwarrior-net
	right=%any
	leftsubnet=192.168.1.0/24
	rightid="/C=BE/ST=Hainaut/L=Braine-le-Comte/O=N Consulting/CN=client
windows/EmailAddress=noel.nachtegael@skynet.be"
	
 
conn roadwarrior
	right=%any
	rightid="/C=BE/ST=Hainaut/L=Braine-le-Comte/O=N Consulting/CN=client
windows/EmailAddress=noel.nachtegael@skynet.be"


	
 
 

 



-------------- next part --------------
conn roadwarrior
	right=chivas-hectordenis.dnsalias.org
	rightca="C=BE, S=Hainaut, L=Braine-le-Comte, O=N Consulting, CN=chivas,
E=noel.nachtegael@skynet.be"
	left=%any
	network=auto
	auto=start
	pfs=yes

conn roadwarrior-net
	left=%any
	right=chivas-hectordenis.dnsalias.org
	rightsubnet=192.168.1.0/24
	rightca="C=BE, S=Hainaut, L=Braine-le-Comte, O=N Consulting, CN=chivas,
E=noel.nachtegael@skynet.be"
	network=auto
	auto=start
	pfs=yes

Tom Eastep

2003-Oct-29 13:33 UTC

head link

[Shorewall-users] freeswan ipsec - shorewall

On Wed, 2003-10-29 at 13:26, No?l Nachtegael wrote:> for the others, here are my adapted files working on the linux box
> 
> and the ipsec.conf.xp on the xp roadwarrior side
> 
> ______________________________________________________________________I notice that your fw<->vpn policy is ACCEPT while your fw<->loc
policy
is REJECT. This seems odd to me given that the vpn<->loc policy is
ACCEPT.

Perhaps you should identify your real requirements for fw<->vpn traffic
and create rules to ACCEPT that traffic so that you can also institute a
REJECT policy between those zones as well. I suspect that the
requirements for vpn<->fw are very similar if not identical to
loc<->fw.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Oct 2003 - freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall

[Shorewall-users] freeswan ipsec - shorewall