Shorewall users - May 2004 - Connection is rejected after being created

Hi

I am using an old PC as a Linux firewall between a local, and a company
network, so I can connect directly to the internet without going through
the company firewall.

I an connected to the internet via a NAT router to an ADSL connection,
and to the company network via a Cisco VPN box, the two networks are
connected with the shorewall firewall.

The firewall is running redhat 9.0 and shorewall version 2.0.0a with
a 2.4.26 kernel; My local network is 192.168.1.0/24.

The funny thing is, that when I try connecting to certain HTTP sites,
eg if I try running redhat up2date from a Linux laptop connected to
the company network, going through the shorewall firewall, the
connection 
is established OK; but after this the shorewall firewall reject all 
further packets commimg from the remote site with an "ICMP Destination 
unreachable" as seen on the following:

123.45.67.89 -> 204.152.189.120 TCP 32795 > http [SYN] Seq=245651779
Ack=0 Win=5840 Len=0
204.152.189.120 -> 123.45.67.89 TCP http > 32795 [SYN, ACK]
Seq=1626678467 Ack=245651780 Win=5792 Len=0
123.45.67.89 -> 204.152.189.120 TCP 32795 > http [ACK] Seq=245651780
Ack=1626678468 Win=5840 Len=0
123.45.67.89 -> 204.152.189.120 HTTP GET
/fedora/core/development/i386//headers/header.info HTTP/1.0
204.152.189.120 -> 123.45.67.89 TCP http > 32795 [ACK] Seq=1626678468
Ack=245651955 Win=5792 Len=0
204.152.189.120 -> 123.45.67.89 HTTP HTTP/1.1 200 OK
 192.168.1.5 -> 204.152.189.120 ICMP Destination unreachable
204.152.189.120 -> 123.45.67.89 HTTP Continuation
 192.168.1.5 -> 204.152.189.120 ICMP Destination unreachable
204.152.189.120 -> 123.45.67.89 HTTP HTTP/1.1 200 OK
 192.168.1.5 -> 204.152.189.120 ICMP Destination unreachable
204.152.189.120 -> 123.45.67.89 HTTP HTTP/1.1 200 OK
 192.168.1.5 -> 204.152.189.120 ICMP Destination unreachable
204.152.189.120 -> 123.45.67.89 HTTP HTTP/1.1 200 OK
 192.168.1.5 -> 204.152.189.120 ICMP Destination unreachable
204.152.189.120 -> 123.45.67.89 HTTP HTTP/1.1 200 OK
 192.168.1.5 -> 204.152.189.120 ICMP Destination unreachable

192.168.1.5 is the interface on the firewall to the local net

I simply cannot figure out why this is happening, and what to look for,
when
this happens, the connection as seen with `shorewall show connections`
is
shown as either ESTABLISHED, or in TIME_WAIT, like here:

tcp      6 429058 ESTABLISHED src=123.45.67.89 dst=204.152.189.120
sport=32795 dport=80 src=204.152.189.120 dst=123.45.67.89 sport=80
dport=32795 [ASSURED] use=1

Anybody have a good idea of what to look for, I had the same problem
with Redhat 7.3, a 2.4.17 kernel, and shorewall version 1.4.6.

And yes, the problem is consistent between resets, restarts, and even
reboots.

Thanks
Per

Per Kofod wrote:
> 
> I an connected to the internet via a NAT router to an ADSL connection,
> and to the company network via a Cisco VPN box, the two networks are
> connected with the shorewall firewall.
Sometimes a picture is worth a thousand words -- can you please send us 
a diagram of what you have just described?

Thanks!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Per Kofod wrote:
> but after this the shorewall firewall reject all 
> further packets commimg from the remote site with an "ICMP Destination
> unreachable" as seen on the following:
> 
Also, how was the posted trace optained (where was the packet sniffer 
placed when the trace was captured)?

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net