Hello, I have now installed OpenVPN on the Linux server. I have bridged eth1 to br0 with 2 TAP devices. When I do not run shorewall I can connect from a Windows machine with OpenVPN on it but when I start shorewall all is dropped. I can still not find out how I can create correct rules for this option. In the faq is only spoken about two shorewall firewalls connected to eachother and that is a very different situation. Does anybody has an idea where to start and how rules should look like? Peter Lindeman
Peter Lindeman wrote:> Hello, > > I have now installed OpenVPN on the Linux server. I have bridged eth1 to > br0 with 2 TAP devices. When I do not run shorewall I can connect from a > Windows machine with OpenVPN on it but when I start shorewall all is > dropped. I can still not find out how I can create correct rules for > this option. In the faq is only spoken about two shorewall firewalls > connected to eachother and that is a very different situation. Does > anybody has an idea where to start and how rules should look like?What ''Shorewall'' log messages are you seeing? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> I have now installed OpenVPN on the Linux server. I have bridged eth1 >> to br0 with 2 TAP devices. When I do not run shorewall I can connect >> from a Windows machine with OpenVPN on it but when I start shorewall >> all is dropped. I can still not find out how I can create correct >> rules for this option. In the faq is only spoken about two shorewall >> firewalls connected to eachother and that is a very different >> situation. Does anybody has an idea where to start and how rules >> should look like? > > > What ''Shorewall'' log messages are you seeing?May 6 16:37:42 gprs kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth1 SRC=192.168.1.63 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=5901 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=6656 I can reach the firewall but not the local lan. I have changed the eth1 device on the firewall into the bridged one br0 Peter Lindeman
Peter Lindeman wrote:> Tom Eastep wrote: > >>> I have now installed OpenVPN on the Linux server. I have bridged eth1 >>> to br0 with 2 TAP devices. When I do not run shorewall I can connect >>> from a Windows machine with OpenVPN on it but when I start shorewall >>> all is dropped. I can still not find out how I can create correct >>> rules for this option. In the faq is only spoken about two shorewall >>> firewalls connected to eachother and that is a very different >>> situation. Does anybody has an idea where to start and how rules >>> should look like? >> >> >> >> What ''Shorewall'' log messages are you seeing? > > > May 6 16:37:42 gprs kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 > PHYSIN=tap0 PHYSOUT=eth1 SRC=192.168.1.63 DST=192.168.1.1 LEN=60 > TOS=0x00 PREC=0x00 TTL=128 ID=5901 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=6656 > > I can reach the firewall but not the local lan. I have changed the eth1 > device on the firewall into the bridged one br0 >Are all bridged interfaces a single ''loc'' zone? If so, you need to set the ''routeback'' option on br0 in /etc/shorewall/interfaces as I posted yesterday. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>>> What ''Shorewall'' log messages are you seeing? >> >> May 6 16:37:42 gprs kernel: Shorewall:FORWARD:REJECT:IN=br0 OUT=br0 >> PHYSIN=tap0 PHYSOUT=eth1 SRC=192.168.1.63 DST=192.168.1.1 LEN=60 >> TOS=0x00 PREC=0x00 TTL=128 ID=5901 PROTO=ICMP TYPE=8 CODE=0 ID=512 >> SEQ=6656 >> >> I can reach the firewall but not the local lan. I have changed the >> eth1 device on the firewall into the bridged one br0 >> > > Are all bridged interfaces a single ''loc'' zone? If so, you need to set > the ''routeback'' option on br0 in /etc/shorewall/interfaces as I posted > yesterday.Oops, I had not noticed the thread of yesterday about the same problem yet. It is now working here, thanks Tom! Peter