Per Kofod wrote:
>>Message: 4
>>Date: Tue, 04 May 2004 06:29:26 -0700
>>From: Tom Eastep <teastep@shorewall.net>
>>Subject: Re: [Shorewall-users] Connection is rejected after being
>> created
>>To: Mailing List for Shorewall Users
>> <shorewall-users@lists.shorewall.net>
>>Message-ID: <40979AB6.9070601@shorewall.net>
>>Content-Type: text/plain; charset=us-ascii; format=flowed
>>
>>Per Kofod wrote:
>>
>>
>>>I an connected to the internet via a NAT router to an ADSL
connection,
>>>and to the company network via a Cisco VPN box, the two networks are
>>>connected with the shorewall firewall.
>>
>>Sometimes a picture is worth a thousand words -- can you please send us
>>a diagram of what you have just described?
>>
>>Thanks!
>>-Tom
>
>
>>Message: 5
>>Date: Tue, 04 May 2004 07:11:00 -0700
>>From: Tom Eastep <teastep@shorewall.net>
>>Subject: Re: [Shorewall-users] Connection is rejected after being
>> created
>>To: Mailing List for Shorewall Users
>> <shorewall-users@lists.shorewall.net>
>>Message-ID: <4097A474.4060804@shorewall.net>
>>Content-Type: text/plain; charset=us-ascii; format=flowed
>>
>>Per Kofod wrote:
>>
>>
>>>but after this the shorewall firewall reject all
>>>further packets commimg from the remote site with an "ICMP
Destination
>>>unreachable" as seen on the following:
>>>
>>
>>Also, how was the posted trace optained (where was the packet sniffer
>>placed when the trace was captured)?
>>
>
>
>>End of Shorewall-users Digest, Vol 18, Issue 10
>>***********************************************
>
>
> My network look like this:
>
> 192.168.1.0/24
> +----------+ loc +--------+ wrk
> | | |Cisco |
> Internet --|NAT Router|----+----|VPN Box |-------+
> | | | | | | +------------+
> +----------+ | +--------+ | |Irix |
> | +----|Workstation |
> +----------+ | +-----------+ | | |
> |Homepc 1 | |eth0|Linux RH9 |eth1| +------------+
> |Redhat 7.2|----+----|Firewall |----+
> | | | |Shorewall | | +------------+
> +----------+ | +-----------+ | |Linux |
> | +----|Laptop |
> +----------+ | |Fedora C2 |
> |Homepc 2 | | +------------+
> |Suse 8.0 |----+ +-----------+
> | | | | |
> +----------+ +----|Printer |
> | |
> +-----------+
>
> The trace was obtained with tethereal taken on eth0 on the firewall, in
> the loc zone, it is very consistent trying to connect to redhat mirrors
> from up2date; but it also happens connection to some URL''s while
not
> with others, though I have never seen the problem connection from the
> IRIX workstation; where the only difference I can see, is that the Linux
> laptop tends to use much higher source port numbers than the IRIX box.
Ok -- Now I''m totally confused.
a) The addresses shown in the connection-tracking output that you sent
in your first post were all public. Yet, one side of your firewall is on
a private network (192.168.1.0/24).
b) The trace output was to show a connection attempt from the Fedora
Laptop to some external site. So is the Fedora laptop is 123.45.67.89?
c) From the above, I would guess that the Shorewall box isn''t doing any
NAT, correct?
c) In that case, how in the above diagram does the Shorewall box get to
the Internet? Through the NAT router (even though NAT isn''t involved)?
d) How does traffic from the internet route back to 123.45.67.89?
>
> I have tried with different settings for CLAMPMSS and NEWNOTSYN in
> shorewall.conf; but this makes no difference, and I do not see anything
> logged about this dropping of packages.
Shorewall-generated rules are *NOT* causing this problem. Shorewall
doesn''t generate rules which return the ICMP type you are seeing except
in response to ping.
It would be useful to see the output of "shorewall status" (as an
attachment) as well as the output of "ip addr ls" and "ip route
ls" from
the firewall and from the laptop.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net