Hey all, I''ve setup a roadwarrior setup for a vpn. A brief description of my system follows: eth0 -- Cable Modem/Internet eth1 -- Internal computers (192.168.2.10-30) tap0 -- VPN Connection (192.168.2.40-50) br0 -- Bridge for eth1 and tap0 I''ve created the bridge and openvpn setup works just fine. I can ping from internal to external computers and back. However an odd thing has happened my internal computers have lost internet access(the ones behind eth1). After repeated testing with tcpdump -i XXX -t icmp I have found the location of the problem I believe. eth0 -- I see the send/receive pings br0 -- I see the send receive pings eth1 -- I ONLY see the send pings.. not the returns My bridge connection is set to loc and in the policy files I''ve done loc fw, loc net, loc loc to no avail. I''ve no idea why but br0 is not sending the data back to eth1 like it should. I''ve recreated the bridge several times even rebooted my machine, but each time it doesn''t send the packets back. I''m not sure if its shorewall blocking it or not. I honestly don''t see how but I thought I would put this out and see what people thought. I''ve included my config files tar''d and my shorewall status. I haven''t mentioend it but obviously my internal network has proper internet access when I remove the bridge/tunnel settings.
J P wrote:> I''ve included my config files tar''d and my shorewall status. I haven''t > mentioend it but obviously my internal network has proper internet > access when I remove the bridge/tunnel settings.A couple of things about your configuration: a) Please set DROPINVALID=No in shorewall.conf -- with recent kernels, DROPINVALID=Yes can cause all sorts of problems and DROPINVALID has been totally removed in Shorewall 2.5. b) Please set a log level for your net->all policy so we can see what incoming packets are being dropped by your firewall. Also, which kernel version are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Kernel Linux tambu 2.6.12-rc6-love1 #5 SMP Tue Jul 26 18:41:44 CDT 2005 i686 AMD Athlon(tm) XP 2800+ AuthenticAMD GNU/Linux (Gentoo) As far as the log stuff I actually wanted to set log levels higher.. but I''m not getting any logging at all. I have metalog and its set correctly in my shorewall.conf and when I execute shorewall start it will show "Shorewall Started" in the metalog but no other messages. Everything is set to info so I don''t know why I''m not seeing anything. Is there a "masterlog on" option or something? I didn''t have the DROPINVALID=Yes anywhere in my shorewall.conf but I added DROPINVALID=No and restarted but I still don''t have internet access for my internal computers. Please let me know what I might be missing to enable logging. I''ve also set the LOGFILE to be /var/log/shorewall.log and nothing shows up in there so I know its not metalog doing something funky.. On 8/8/05, Tom Eastep <teastep@shorewall.net> wrote:> J P wrote: > > > I''ve included my config files tar''d and my shorewall status. I haven''t > > mentioend it but obviously my internal network has proper internet > > access when I remove the bridge/tunnel settings. > > A couple of things about your configuration: > > a) Please set DROPINVALID=No in shorewall.conf -- with recent kernels, > DROPINVALID=Yes can cause all sorts of problems and DROPINVALID has been > totally removed in Shorewall 2.5. > > b) Please set a log level for your net->all policy so we can see what > incoming packets are being dropped by your firewall. > > Also, which kernel version are you running? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
J P wrote:> Kernel > Linux tambu 2.6.12-rc6-love1 #5 SMP Tue Jul 26 18:41:44 CDT 2005 i686 > AMD Athlon(tm) XP 2800+ AuthenticAMD GNU/Linux (Gentoo)Netfilter/Bridging is reportedly broken in Kernel 2.6.12.> > As far as the log stuff I actually wanted to set log levels higher.. > but I''m not getting any logging at all. I have metalog and its set > correctly in my shorewall.confThe shorewall.conf has nothing to do with policy logging.l> and when I execute shorewall start it > will show "Shorewall Started" in the metalog but no other messages.Those are the only two log messages that are actually generated by Shorewall. All other "shorewall" logging is actually done by Netfilter.> Everything is set to info so I don''t know why I''m not seeing anything. > Is there a "masterlog on" option or something?"Everything" is NOT set to info -- As I told you in my previous post, you have NO logging specified for your fw->all DROP policy. In any shorewall configuration, that specification accounts for 99+% of the log messages generated.> > I didn''t have the DROPINVALID=Yes anywhere in my shorewall.conf but I added > DROPINVALID=No > and restarted but I still don''t have internet access for my internal computers. > > Please let me know what I might be missing to enable logging. > I''ve also set the LOGFILE to be /var/log/shorewall.logAs described in the comments about that variable and in the Shorewall logging documentation, the LOGFILE specification in shorewall.conf simply tells /sbin/shorewall where to find the log for the "logwatch", "show log" and "status" commands. It does nothing to direct the logging itself. and nothing> shows up in there so I know its not metalog doing something funky.. >I know nothing about metalog. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ok thanks Tom, I''ll go and recompile a later kernel and see if that helps me out. That would make sense if it was a broken kernel issue. I''ll try it out and get back with you if that doesn''t help. Thanks On 8/8/05, Tom Eastep <teastep@shorewall.net> wrote:> J P wrote: > > Kernel > > Linux tambu 2.6.12-rc6-love1 #5 SMP Tue Jul 26 18:41:44 CDT 2005 i686 > > AMD Athlon(tm) XP 2800+ AuthenticAMD GNU/Linux (Gentoo) > > Netfilter/Bridging is reportedly broken in Kernel 2.6.12. > > > > > As far as the log stuff I actually wanted to set log levels higher.. > > but I''m not getting any logging at all. I have metalog and its set > > correctly in my shorewall.conf > > The shorewall.conf has nothing to do with policy logging.l > > > and when I execute shorewall start it > > will show "Shorewall Started" in the metalog but no other messages. > > Those are the only two log messages that are actually generated by > Shorewall. All other "shorewall" logging is actually done by Netfilter. > > > Everything is set to info so I don''t know why I''m not seeing anything. > > Is there a "masterlog on" option or something? > > "Everything" is NOT set to info -- As I told you in my previous post, you > have NO logging specified for your fw->all DROP policy. In any shorewall > configuration, that specification accounts for 99+% of the log messages > generated. > > > > > I didn''t have the DROPINVALID=Yes anywhere in my shorewall.conf but I added > > DROPINVALID=No > > and restarted but I still don''t have internet access for my internal computers. > > > > Please let me know what I might be missing to enable logging. > > I''ve also set the LOGFILE to be /var/log/shorewall.log > > As described in the comments about that variable and in the Shorewall > logging documentation, the LOGFILE specification in shorewall.conf simply > tells /sbin/shorewall where to find the log for the "logwatch", "show log" > and "status" commands. It does nothing to direct the logging itself. > > and nothing > > shows up in there so I know its not metalog doing something funky.. > > > > I know nothing about metalog. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
J P wrote:> Ok thanks Tom, > > I''ll go and recompile a later kernel and see if that helps me out. > That would make sense if it was a broken kernel issue. I''ll try it out > and get back with you if that doesn''t help. >If I were you, I would compile a 2.6.11 kernel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hey all,>I''ve setup a roadwarrior setup for a vpn. A brief description of my >system follows: > >eth0 -- Cable Modem/Internet >eth1 -- Internal computers (192.168.2.10-30) >tap0 -- VPN Connection (192.168.2.40-50) >br0 -- Bridge for eth1 and tap0 > >I''ve created the bridge and openvpn setup works just fine. I can ping >from internal to external computers and back. However an odd thing has >happened my internal computers have lost internet access(the ones >behind eth1). > >After repeated testing with tcpdump -i XXX -t icmp I have found the >location of the problem I believe. >eth0 -- I see the send/receive pings >br0 -- I see the send receive pings >eth1 -- I ONLY see the send pings.. not the returns > >My bridge connection is set to loc and in the policy files I''ve done >loc fw, loc net, loc loc to no avail. > >I''ve no idea why but br0 is not sending the data back to eth1 like it >should. I''ve recreated the bridge several times even rebooted my >machine, but each time it doesn''t send the packets back. I''m not sure >if its shorewall blocking it or not. I honestly don''t see how but I >thought I would put this out and see what people thought. > >I''ve included my config files tar''d and my shorewall status. I haven''t >mentioend it but obviously my internal network has proper internet >access when I remove the bridge/tunnel settings.I have a couple of questions. Why do you have BRIDGING=No in shorewall.conf? You have 2 different /24 nets in the rules file for loc (192.168.1.x ..2.x), you should use the hosts file to declare 2 different subnets, is the 1.x the remote lan on the other end of the tap interface? You have no route to 192.168.1.0/24 anywhere, is that why you were asking about alaises on a bridge. Just need to have it cleared up, before I make a suggestion. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Jerry, I have two subnets in my rules file because I used to be using .1.0 subnet and moved to 2.0 nothing special. the rules file just needs cleaning up. As to the BRIDGING=NO it was set to this by default. I changed it to YES but I got an error when I tried to start shorewall. I would put the error here but since someone said that the 2.6.12 kernel was broken with bridging I downgraded to 2.6.11 and that fixed my problems. Error: BRIDGING=Yes requires Physdev Match support in your Kernel and iptable (the message I get as I don''t appear to need it I''ve left it set to No.) Thanks On 8/8/05, Jerry Vonau <jvonau@shaw.ca> wrote:> > > > Hey all, > > >I''ve setup a roadwarrior setup for a vpn. A brief description of my > >system follows: > > > >eth0 -- Cable Modem/Internet > >eth1 -- Internal computers (192.168.2.10-30) > >tap0 -- VPN Connection (192.168.2.40-50) > >br0 -- Bridge for eth1 and tap0 > > > >I''ve created the bridge and openvpn setup works just fine. I can ping > >from internal to external computers and back. However an odd thing has > >happened my internal computers have lost internet access(the ones > >behind eth1). > > > >After repeated testing with tcpdump -i XXX -t icmp I have found the > >location of the problem I believe. > >eth0 -- I see the send/receive pings > >br0 -- I see the send receive pings > >eth1 -- I ONLY see the send pings.. not the returns > > > >My bridge connection is set to loc and in the policy files I''ve done > >loc fw, loc net, loc loc to no avail. > > > >I''ve no idea why but br0 is not sending the data back to eth1 like it > >should. I''ve recreated the bridge several times even rebooted my > >machine, but each time it doesn''t send the packets back. I''m not sure > >if its shorewall blocking it or not. I honestly don''t see how but I > >thought I would put this out and see what people thought. > > > >I''ve included my config files tar''d and my shorewall status. I haven''t > >mentioend it but obviously my internal network has proper internet > >access when I remove the bridge/tunnel settings. > > I have a couple of questions. Why do you have BRIDGING=No in > shorewall.conf? > > You have 2 different /24 nets in the rules file for loc (192.168.1.x ..2.x), you should > use the hosts file to declare 2 different subnets, is the 1.x the remote lan on the other > end of the tap interface? You have no route to 192.168.1.0/24 anywhere, is that why > you were asking about alaises on a bridge. > Just need to have it cleared up, before I make a suggestion. > > Jerry > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf