-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
claas@rootdir.de wrote:>>Claas -- will you please install a kernel that will work with the
>>ipsec-nn Patch-O-Matic patches? You are just making live miserable for
>>yourself persuing the path that you are on...
>
>
> Hello Tom,
>
> well, I managed to patch my kernel by now. But I had to use 2.6.6, since
> newer kernels did not work with the patch-o-matic-ng any more.
>
> I patched ipsec-01..04 and policy into my kernel.
>
>
>>Without those patches, IPSEC and Netfilter basically don''t work
together
>>except in very simply cases.
>
> I understand.
>
>
>>>kernel: Shorewall:all2all:REJECT:
>>> IN= OUT=ppp0 SRC=123.123.123.111 DST=192.168.176.2
>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=60490 DF PROTO=TCP
>>> SPT=32820 DPT=110 WINDOW=5808 RES=0x00 SYN URGP=0
>>>
>>>How to I write the rule for this?
>>>
>>>ACCEPT net:123.123.123.111 net:192.168.176.0/24 tcp
110
>>> ^^^ ^^^
That is a fw->vpn packet. There is no IN= device so the packet
originated on the firewall. Since the destination IP is an RFC1918
address, then I assume that it is in the remote network connected via
the tunnel.
- -Tom
- --
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBZIfGO/MAbZfjDLIRAo+oAJ4o0rPZhppY/7XIriUivyLCw5KdzgCeLYrV
L/RoPMuBd80xhrsbBxAea7w=Nhy7
-----END PGP SIGNATURE-----