Hi, here my system on shorewall: eth0 192.168.108.1 net eth1 192.168.109.1 dmz eth2 192.168.110.1 loc_110 eth3 192.168.111.1 loc I haven''t access from or to server in loc_110 through shorewall. I can use ssh or other types from loc to dmz or from loc to fw, but I can''t use connections to loc_110. I can also use ssh - connection from fw to loc_110 or redirectly. Where is the problem ? In message log are no entries. In my opinion it''s a problem of routing. Regards Michael Menkhoff On the 8th day, god created LINUX.
Michael Menkhoff wrote:> > Where is the problem ? In message log are no entries. In my opinion > it''s a problem of routing. >From the facts you have presented the answer to your question is, ''Maybe or maybe not".
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Menkhoff wrote:> Hi, > > here my system on shorewall: > > eth0 192.168.108.1 net > eth1 192.168.109.1 dmz > eth2 192.168.110.1 loc_110 > eth3 192.168.111.1 loc > > I haven''t access from or to server in loc_110 through shorewall. I can > use ssh or other types from loc to dmz or from loc to fw, but I can''t use connections > to loc_110. > I can also use ssh - connection from fw to loc_110 or redirectly. > > Where is the problem ? In message log are no entries. In my opinion > it''s a problem of routing. >If you submit a proper problem report, we will try to help -- see http://shorewall.net/support.htm - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBm4p3O/MAbZfjDLIRAugpAKCTAHk+CfEVUzNHsc7S6IcLEcbTTwCfQ1f0 IdIEmsrrmOElx4bXLdWeBds=dJyM -----END PGP SIGNATURE-----
Aren''t zones short names limited to 5 characters or less? Maybe you are running into an issue that it can''t determine what loc_110 is because its to long. -- Hash: SHA1 Michael Menkhoff wrote:> Hi, > > here my system on shorewall: > > eth0 192.168.108.1 net > eth1 192.168.109.1 dmz > eth2 192.168.110.1 loc_110 > eth3 192.168.111.1 loc > > I haven''t access from or to server in loc_110 through shorewall. I can> use ssh or other types from loc to dmz or from loc to fw, but I can''t > use connections to loc_110. > I can also use ssh - connection from fw to loc_110 or redirectly. > > Where is the problem ? In message log are no entries. In my opinion > it''s a problem of routing. >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thibodeau, Jamie L. wrote:> Aren''t zones short names limited to 5 characters or less? Maybe you are > running into an issue that it can''t determine what loc_110 is because > its to long. > --The 5-character limit has to do with logging; the longest chain name that may be used with the standard LOGFORMAT string without truncation is 11 characters. There should be no confusion caused by long zone names. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBm5byO/MAbZfjDLIRAqUjAKC/ag54uiwjHjIU2TEzw+3j/SWNowCfY/mA UA1RxZnbCnMgfmdEWRHNW30=Rkti -----END PGP SIGNATURE-----
Hi, i have one shorewall configured in one client and this client need access to another client with symantec vpn, after i see find the protocol named esp.... can i set this in protocol rules? Nov 17 16:46:26 kernel: Shorewall:loc2net:REJECT:IN=eth1 OUT=eth0 SRC=IP DST=IP LEN=152 TOS=0x00 PREC=0x00 TTL=253 ID=43 PROTO=ESP SPI=0xa7062e5 Nov 17 16:46:40 kernel: Shorewall:loc2net:REJECT:IN=eth1 OUT=eth0 SRC=IP DST=IP LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=414 PROTO=41 tks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo Leão Caffaro wrote:> Hi, i have one shorewall configured in one client and this client need > access to another client with symantec vpn, after i see find the > protocol named esp.... > > can i set this in protocol rules? >Yes. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBm5/ZO/MAbZfjDLIRAt1sAKCLEUOHdihM+zE4LBY0ReQmbRzxpACgm1qx QUwmHs/dpEST2UvWd0ySL/k=J37u -----END PGP SIGNATURE-----