Shorewall users - Jul 2006 - fragmented udp packet or vpn problem

HI

I have shorewall 3.0.8 and I have some problem
forwarding some fragmented udp packets. They are part
of a vpn authentification so I''m not sure where the
problem is.
Without shorewall the vpn connection works ok.

I have a host on my internal network which has to
connect to a vpn server on the internet. So the
endpoint is not on the fw machine. I just have to
forward and SNAT udp 500 and udp 2746 traffic between
these 2 hosts.
I recieve 2 fragmented udp packets on my external
interface but they don''t show up on my internal
interface.

Any help would be highly appreciated

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

renyi zsolt wrote:
> HI
> 
> I have shorewall 3.0.8 and I have some problem
> forwarding some fragmented udp packets. They are part
> of a vpn authentification so I''m not sure where the
> problem is.
> Without shorewall the vpn connection works ok.
What exactly does that mean? Does it mean that if you clear shorewall then add
the required iptables rules manually that it works?
> 
> I have a host on my internal network which has to
> connect to a vpn server on the internet. So the
> endpoint is not on the fw machine. I just have to
> forward and SNAT udp 500 and udp 2746 traffic between
> these 2 hosts.
Why SNAT?
> I recieve 2 fragmented udp packets on my external
> interface but they don''t show up on my internal
> interface.
> 
Netfilter reassembles fragements before filtering.

We need to see details -- please see http://www.shorewall.net/support.htm for
instructions regarding submitting a problem report.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Thanks for your quick answer.

The answer is yes, If I clear shorewall than add the
rules manually It works. SNAT because I have private
adresses on my local network.

Do I have to add something in tunnels, or put some
ipsec  option in /etc/shorewall/hosts file?

--- Tom Eastep <teastep@shorewall.net> wrote:
> renyi zsolt wrote:
> > HI
> > 
> > I have shorewall 3.0.8 and I have some problem
> > forwarding some fragmented udp packets. They are
> part
> > of a vpn authentification so I''m not sure where
> the
> > problem is.
> > Without shorewall the vpn connection works ok.
> 
> What exactly does that mean? Does it mean that if
> you clear shorewall then add
> the required iptables rules manually that it works?
> > 
> > I have a host on my internal network which has to
> > connect to a vpn server on the internet. So the
> > endpoint is not on the fw machine. I just have to
> > forward and SNAT udp 500 and udp 2746 traffic
> between
> > these 2 hosts.
> 
> Why SNAT?
> 
> > I recieve 2 fragmented udp packets on my external
> > interface but they don''t show up on my internal
> > interface.
> > 
> 
> Netfilter reassembles fragements before filtering.
> 
> We need to see details -- please see
> http://www.shorewall.net/support.htm for
> instructions regarding submitting a problem report.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 
> > Using Tomcat but need to do more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

I tried to insert the rules which I wrote and which
worked, before shorewalls rules but that didn''t help.
So I think not the rules are the problem but something
else drops silently those packets. Maybe shorewall
sets something in /proc/sys/net or something else. 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

renyi zsolt wrote:
> I tried to insert the rules which I wrote and which
> worked, before shorewalls rules but that didn''t help.
> So I think not the rules are the problem but something
> else drops silently those packets. Maybe shorewall
> sets something in /proc/sys/net or something else. 
Shorewall only sets what you ask it to.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> renyi zsolt wrote:
>> I tried to insert the rules which I wrote and which
>> worked, before shorewalls rules but that didn''t help.
>> So I think not the rules are the problem but something
>> else drops silently those packets. Maybe shorewall
>> sets something in /proc/sys/net or something else. 
> 
> Shorewall only sets what you ask it to.
And you can see the values of the /proc/sys/net items that Shorewall *might*
have changed using "shorewall dump". The /proc output is near the
bottom.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Anyone know what happened to Marc''s site?  I had his page booked marked
and
it seems to be down now:

http://marc.zonzon.free.fr/public_html/home.php?section=WRTMemo&subsec=vpnwithshorewall

It is linked from this part of the Shorewall docs:

http://www.shorewall.net/OPENVPN.html

Specifically I was looking for piece he wrote about how to selectively allow 
communication between OpenVPN clients.  Does anyknow know if this page 
exists anywhere else?  I have done some searching but haven''t found
another
source for it.

Thanks.




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Bob Smith wrote:
> Specifically I was looking for piece he wrote about how to selectively
allow
> communication between OpenVPN clients. 
That very easy:

a) Do not set ''client-to-client'' in your OpenVPN config.
b) Specify ''routeback'' on the OpenVPN interface (tun/tap) in
/etc/shorewall/interfaces.
c) The default vpn->vpn policy is ACCEPT -- if you want to reject by
default, add this to /etc/shorewall/policy:

	vpn	vpn	REJECT

d) Whatever your policy, you can now add vpn->vpn rules as desired:

<action>	vpn[:<address>[,...]]	vpn[:<address>[,...]]	...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hey Tom,

Will this also work if I am trying to access networks behind the vpn 
clients?  For example:

Client 1 -------> VPN Server <------- Client2

Client 1 has network: 192.168.1.0/24
Client 2 has networks: 10.1.1.0/24 and 10.1.2.0/24.

I tried what you suggest and it doesn''t appear to work for me.  My test
is
to ping something in 10.1.1.0/24 from 192.168.1.0/24.  On my Client 1 and my 
VPN Server I put a rule in shorewall to log the vpn traffic.  After taking 
away the client-to-client statement and testing I can see the taffic going 
out through Client 1 but never see it on the VPN Server.

Bob.


>From: Tom Eastep <teastep@shorewall.net>
>Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net>
>To: Shorewall Users <shorewall-users@lists.sourceforge.net>
>Subject: Re: [Shorewall-users] Marc Zonzon''s Site ...
>Date: Sun, 09 Jul 2006 11:58:55 -0700
>
>Bob Smith wrote:
>
> > Specifically I was looking for piece he wrote about how to selectively
>allow
> > communication between OpenVPN clients.
>
>That very easy:
>
>a) Do not set ''client-to-client'' in your OpenVPN config.
>b) Specify ''routeback'' on the OpenVPN interface (tun/tap)
in
>/etc/shorewall/interfaces.
>c) The default vpn->vpn policy is ACCEPT -- if you want to reject by
>default, add this to /etc/shorewall/policy:
>
>	vpn	vpn	REJECT
>
>d) Whatever your policy, you can now add vpn->vpn rules as desired:
>
><action>	vpn[:<address>[,...]]	vpn[:<address>[,...]]	...
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
><< signature.asc >>


>
>-------------------------------------------------------------------------
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job 
>easier
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Bob Smith wrote:
> Hey Tom,
> 
> Will this also work if I am trying to access networks behind the vpn 
> clients?  For example:
> 
> Client 1 -------> VPN Server <------- Client2
> 
> Client 1 has network: 192.168.1.0/24
> Client 2 has networks: 10.1.1.0/24 and 10.1.2.0/24.
> 
> I tried what you suggest and it doesn''t appear to work for me.  My
test is
> to ping something in 10.1.1.0/24 from 192.168.1.0/24.  On my Client 1 and
my
> VPN Server I put a rule in shorewall to log the vpn traffic.  After taking 
> away the client-to-client statement and testing I can see the taffic going 
> out through Client 1 but never see it on the VPN Server.
> 
>
Bob,

I don''t try to solve problems about which I have no facts. See
http://www.shorewall.net/support.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> Bob Smith wrote:
>> Hey Tom,
>>
>> Will this also work if I am trying to access networks behind the vpn 
>> clients?  For example:
>>
>> Client 1 -------> VPN Server <------- Client2
>>
>> Client 1 has network: 192.168.1.0/24
>> Client 2 has networks: 10.1.1.0/24 and 10.1.2.0/24.
>>
>> I tried what you suggest and it doesn''t appear to work for me.
My test is
>> to ping something in 10.1.1.0/24 from 192.168.1.0/24.  On my Client 1
and my
>> VPN Server I put a rule in shorewall to log the vpn traffic.  After
taking
>> away the client-to-client statement and testing I can see the taffic
going
>> out through Client 1 but never see it on the VPN Server.
>>
>>
> 
> Bob,
> 
> I don''t try to solve problems about which I have no facts. See
> http://www.shorewall.net/support.htm
> 
FYI -- what you are trying to do *should* work

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

I don''t know what to think. I inserted my rules, which
worked without shorewall, but the packets were dropped
just like before. I uncommented dropInvalid and
dropNotSyn in /usr/share/shorewall/action.Drop and
/usr/share/shorewall/action.Reject but still no
succes.
Logs won''t show anything also I have log level info
for net2all traffic.

Theese are the /proc/sys settings from shorewall dump:

   /proc/version = Linux version 2.6.15-1.2054_FC5smp
(bhcompile@hs20-bc1-3.build.redhat.com) (gcc version
4.1.0 20060304 (Re
d Hat 4.1.0-3)) #1 SMP Tue Mar 14 16:05:46 EST 2006
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/br0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/br0/arp_filter = 0
   /proc/sys/net/ipv4/conf/br0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/br0/rp_filter = 1
   /proc/sys/net/ipv4/conf/br0/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 0
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 0
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth2/log_martians = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Only source route verification is turned on, but not
from shorewall interfaces file but from sysctl.conf .

Could the drop happen somewhere in the PREROUTING
chain and not in the FORWARD chain ?
I just don''t understand why the rules I inserted
before shorewall''s rules didn''t work. Please help.


--- Tom Eastep <teastep@shorewall.net> wrote:
> Tom Eastep wrote:
> > renyi zsolt wrote:
> >> I tried to insert the rules which I wrote and
> which
> >> worked, before shorewalls rules but that didn''t
> help.
> >> So I think not the rules are the problem but
> something
> >> else drops silently those packets. Maybe
> shorewall
> >> sets something in /proc/sys/net or something
> else. 
> > 
> > Shorewall only sets what you ask it to.
> 
> And you can see the values of the /proc/sys/net
> items that Shorewall *might*
> have changed using "shorewall dump". The /proc
> output is near the bottom.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 
> > 
>
-------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

renyi zsolt wrote:
> I don''t know what to think. I inserted my rules, which
> worked without shorewall, but the packets were dropped
> just like before.
Did you "shorewall clear" before inserting your rules.
> I uncommented dropInvalid and
> dropNotSyn in /usr/share/shorewall/action.Drop and
> /usr/share/shorewall/action.Reject but still no
> succes.
Of course not -- From /usr/share/shorewall/action.Reject:

# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON''T
HELP!!!!!!!!!

I don''t know how to make that any clearer.
> Logs won''t show anything also I have log level info
> for net2all traffic.
> Could the drop happen somewhere in the PREROUTING
> chain and not in the FORWARD chain ?
> I just don''t understand why the rules I inserted
> before shorewall''s rules didn''t work. Please help.
I can''t help until you forward the information I asked for. Again,
please refer
to http://www.shorewall.net/support.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Thank''s Tom for answering 

I will send you the shorewall dump tomorrow. To answer
your question: If I do a shorewall clear and add some
very basic rules  like: 
iptables -A FORWARD -s 80.96.3.4 -j ACCEPT
iptables -A FORWARD -s 192.168.61.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state
ESTABLISHED -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -j DROP

iptables -t nat -A POSTROUTING -s 192.168.61.0/24 -j
SNAT --to 81.196.150.227

where 80.96.3.4 is the host I''m trying to connect to
the connection works. But if I start shorewall and
insert the same rules (with -I) I can''t connect to
that vpn gateway.

Thank''s in advance and I''ll send you the data
tomorrow.

--- Tom Eastep <teastep@shorewall.net> wrote:
> renyi zsolt wrote:
> > I don''t know what to think. I inserted my rules,
> which
> > worked without shorewall, but the packets were
> dropped
> > just like before.
> 
> Did you "shorewall clear" before inserting your
> rules.
> 
> > I uncommented dropInvalid and
> > dropNotSyn in /usr/share/shorewall/action.Drop and
> > /usr/share/shorewall/action.Reject but still no
> > succes.
> 
> Of course not -- From
> /usr/share/shorewall/action.Reject:
> 
> # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING
> THIS FILE WON''T HELP!!!!!!!!!
> 
> I don''t know how to make that any clearer.
> 
> > Logs won''t show anything also I have log level
> info
> > for net2all traffic.
> 
> > Could the drop happen somewhere in the PREROUTING
> > chain and not in the FORWARD chain ?
> > I just don''t understand why the rules I inserted
> > before shorewall''s rules didn''t work. Please help.
> 
> I can''t help until you forward the information I
> asked for. Again, please refer
> to http://www.shorewall.net/support.htm
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 
> > 
>
-------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Sat, 2006-07-08 at 03:55 -0700, renyi zsolt wrote:
> I have a host on my internal network which has to
> connect to a vpn server on the internet. So the
> endpoint is not on the fw machine. I just have to
> forward and SNAT udp 500 and udp 2746 traffic between
> these 2 hosts.
Maybe I''m missing the point here, but...

What about simply masquerading that host or the entire internal LAN?
Works perfectly for me using OpenVPN and Cisco VPN, the client being
behind a Shorewall firewall.

 Karsten


-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      http://www.chiark.greenend.org.uk/~sgtatham/bugs.html



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Sun, 2006-07-09 at 12:54 -0400, Bob Smith wrote:
[ snipp ]

/me puts on his list sheriff hat

Bob, please don''t hijack unrelated threads. Hitting
''Reply'' and snipping
the entire quoted text does *not* make your post a new thread.

If you don''t understand this, try enabling threaded view in your MUA
(extremely helpful for mailing lists anyway) and have a look at the mail
headers of your post -- particularly the In-Reply-To: and References:
headers.

 Karsten


-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      http://www.chiark.greenend.org.uk/~sgtatham/bugs.html



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

I already tried that and didn''t work. I tried
inserting rules before shorewall''s rules to ACCEPT
every connection from 80.96.3.4 to which I try to
connect and I also tried SNAT-ing all traffic from the
host I am connecting. I have an older firewall
(firehol, I decided to change it to shorewall) and on
that only udp dpt:2746 and udp:500 are nat-ed and it
works on that. With shorewall no matter what I try the
vpn gateway returns 2 fragmented udp packets which are
Dropped somewhere.

Here is a tcpdump output on my external interface:
17:37:27.241183 IP (tos 0x20, ttl 58, id 28157, offset
1480, flags [+, DF], proto: UDP (17), length: 1500)
yyy > xxx: udp
17:37:27.241202 IP (tos 0x20, ttl 58, id 28157, offset
2960, flags [DF], proto: UDP (17), length: 184) yyy >
xxx udp

These 2 packets won''t show up on my internal
interface, which is a bridge but I also tried without
bridge, with one normal ethernet card.

Tom please find attached my shorewall dump.
Thanks

--- Karsten Br�ckelmann <kb@shorewall.net> wrote:
> On Sat, 2006-07-08 at 03:55 -0700, renyi zsolt
> wrote:
> 
> > I have a host on my internal network which has to
> > connect to a vpn server on the internet. So the
> > endpoint is not on the fw machine. I just have to
> > forward and SNAT udp 500 and udp 2746 traffic
> between
> > these 2 hosts.
> 
> Maybe I''m missing the point here, but...
> 
> What about simply masquerading that host or the
> entire internal LAN?
> Works perfectly for me using OpenVPN and Cisco VPN,
> the client being
> behind a Shorewall firewall.
> 
>  Karsten
> 
> 
> -- 
> [ESR] Eric S. Raymond: "How To Ask Questions The
> Smart Way"
>      
> http://www.catb.org/~esr/faqs/smart-questions.html
> [SGT] Simon G. Tatham: "How to Report Bugs
> Effectively"
>      
>
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
> > 
>
-------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

renyi zsolt wrote:
> I already tried that and didn''t work. I tried
> inserting rules before shorewall''s rules to ACCEPT
> every connection from 80.96.3.4 to which I try to
> connect and I also tried SNAT-ing all traffic from the
> host I am connecting. I have an older firewall
> (firehol, I decided to change it to shorewall) and on
> that only udp dpt:2746 and udp:500 are nat-ed and it
> works on that. With shorewall no matter what I try the
> vpn gateway returns 2 fragmented udp packets which are
> Dropped somewhere.
> 
> Here is a tcpdump output on my external interface:
> 17:37:27.241183 IP (tos 0x20, ttl 58, id 28157, offset
> 1480, flags [+, DF], proto: UDP (17), length: 1500)
> yyy > xxx: udp
> 17:37:27.241202 IP (tos 0x20, ttl 58, id 28157, offset
> 2960, flags [DF], proto: UDP (17), length: 184) yyy >
> xxx udp
> 
They are dropped because they are the 2nd and 3rd fragments of 3. The first
fragment (offset 0) is missing?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> renyi zsolt wrote:
>> I already tried that and didn''t work. I tried
>> inserting rules before shorewall''s rules to ACCEPT
>> every connection from 80.96.3.4 to which I try to
>> connect and I also tried SNAT-ing all traffic from the
>> host I am connecting. I have an older firewall
>> (firehol, I decided to change it to shorewall) and on
>> that only udp dpt:2746 and udp:500 are nat-ed and it
>> works on that. With shorewall no matter what I try the
>> vpn gateway returns 2 fragmented udp packets which are
>> Dropped somewhere.
>>
>> Here is a tcpdump output on my external interface:
>> 17:37:27.241183 IP (tos 0x20, ttl 58, id 28157, offset
>> 1480, flags [+, DF], proto: UDP (17), length: 1500)
>> yyy > xxx: udp
>> 17:37:27.241202 IP (tos 0x20, ttl 58, id 28157, offset
>> 2960, flags [DF], proto: UDP (17), length: 184) yyy >
>> xxx udp
>>
> 
> They are dropped because they are the 2nd and 3rd fragments of 3. The first
> fragment (offset 0) is missing?
Now that I think of it, there was a kernel problem reported with fragmentation,
Netfilter and bridges. Do you have the latest Redhat kernel updates? I doubt it,
given that your kernel was compiled in March!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
>>>
>> They are dropped because they are the 2nd and 3rd fragments of 3. The
first
>> fragment (offset 0) is missing?
> 
> Now that I think of it, there was a kernel problem reported with
fragmentation,
> Netfilter and bridges. Do you have the latest Redhat kernel updates? I
doubt it,
> given that your kernel was compiled in March!
I looked back in the archives and the problem I was thinking of only occurred in
2.6.16 so it isn''t the problem here...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> renyi zsolt wrote:
>> I already tried that and didn''t work. I tried
>> inserting rules before shorewall''s rules to ACCEPT
>> every connection from 80.96.3.4 to which I try to
>> connect and I also tried SNAT-ing all traffic from the
>> host I am connecting. I have an older firewall
>> (firehol, I decided to change it to shorewall) and on
>> that only udp dpt:2746 and udp:500 are nat-ed and it
>> works on that. With shorewall no matter what I try the
>> vpn gateway returns 2 fragmented udp packets which are
>> Dropped somewhere.
>>
>> Here is a tcpdump output on my external interface:
>> 17:37:27.241183 IP (tos 0x20, ttl 58, id 28157, offset
>> 1480, flags [+, DF], proto: UDP (17), length: 1500)
>> yyy > xxx: udp
>> 17:37:27.241202 IP (tos 0x20, ttl 58, id 28157, offset
>> 2960, flags [DF], proto: UDP (17), length: 184) yyy >
>> xxx udp
>>
> 
> They are dropped because they are the 2nd and 3rd fragments of 3. The first
> fragment (offset 0) is missing?
> 
One thing you might try -- rename the ipt_policy.so file in the iptables lib
directory (usually in /lib/iptables/) and restart Shorewall. There are known
problems with policy match and bridges but I hadn''t heard of any of
those
problems relating to fragments.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Thank''s Tom

I will try that asap. And I will inform you about the
results.

--- Tom Eastep <teastep@shorewall.net> wrote:
> Tom Eastep wrote:
> > renyi zsolt wrote:
> >> I already tried that and didn''t work. I tried
> >> inserting rules before shorewall''s rules to
> ACCEPT
> >> every connection from 80.96.3.4 to which I try to
> >> connect and I also tried SNAT-ing all traffic
> from the
> >> host I am connecting. I have an older firewall
> >> (firehol, I decided to change it to shorewall)
> and on
> >> that only udp dpt:2746 and udp:500 are nat-ed and
> it
> >> works on that. With shorewall no matter what I
> try the
> >> vpn gateway returns 2 fragmented udp packets
> which are
> >> Dropped somewhere.
> >>
> >> Here is a tcpdump output on my external
> interface:
> >> 17:37:27.241183 IP (tos 0x20, ttl 58, id 28157,
> offset
> >> 1480, flags [+, DF], proto: UDP (17), length:
> 1500)
> >> yyy > xxx: udp
> >> 17:37:27.241202 IP (tos 0x20, ttl 58, id 28157,
> offset
> >> 2960, flags [DF], proto: UDP (17), length: 184)
> yyy >
> >> xxx udp
> >>
> > 
> > They are dropped because they are the 2nd and 3rd
> fragments of 3. The first
> > fragment (offset 0) is missing?
> > 
> 
> One thing you might try -- rename the ipt_policy.so
> file in the iptables lib
> directory (usually in /lib/iptables/) and restart
> Shorewall. There are known
> problems with policy match and bridges but I hadn''t
> heard of any of those
> problems relating to fragments.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 
> > 
>
-------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Well, it didn''t help. 
Here is the whole tcpdump output from my external and
my internal interface. Maybe you discover something I
couldn''t.

External interface:

tcpdump -v -i eth0 host 80.96.3.4
tcpdump: listening on eth0, link-type EN10MB
(Ethernet), capture size 96 bytes
08:29:50.354575 IP (tos 0x0, ttl 126, id 44760, offset
0, flags [none], proto: UDP (17), length: 344)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident: [|sa]
08:29:50.364725 IP (tos 0x20, ttl  58, id 0, offset 0,
flags [DF], proto: UDP (17), length: 160)
80-96-3-4.customs.ro.isakmp > vitacom.ro.isakmp:
isakmp 1.0 msgid : phase 1 R ident: [|sa]
08:29:50.443652 IP (tos 0x0, ttl 126, id 44771, offset
0, flags [none], proto: UDP (17), length: 288)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident: [|ke]
08:29:50.451718 IP (tos 0x20, ttl  58, id 0, offset 0,
flags [DF], proto: UDP (17), length: 250)
80-96-3-4.customs.ro.isakmp > vitacom.ro.isakmp:
isakmp 1.0 msgid : phase 1 R ident: [|ke]
08:29:50.535236 IP (tos 0x0, ttl 126, id 44778, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:50.556943 IP (tos 0x20, ttl  58, id 37379,
offset 0, flags [+, DF], proto: UDP (17), length:
1500) 80-96-3-4.customs.ro.isakmp > vitacom.ro.isakmp:
isakmp 1.0 msgid : phase 1 R ident[E]: [encrypted id]
(len mismatch: isakmp 3132/ip 1472)
08:29:50.557068 IP (tos 0x20, ttl  58, id 37379,
offset 1480, flags [+, DF], proto: UDP (17), length:
1500) 80-96-3-4.customs.ro > vitacom.ro: udp
08:29:50.557094 IP (tos 0x20, ttl  58, id 37379,
offset 2960, flags [DF], proto: UDP (17), length: 200)
80-96-3-4.customs.ro > vitacom.ro: udp
08:29:50.664277 IP (tos 0x20, ttl  58, id 37380,
offset 0, flags [+, DF], proto: UDP (17), length:
1500) 80-96-3-4.customs.ro.isakmp > vitacom.ro.isakmp:
isakmp 1.0 msgid : phase 1 R ident[E]: [encrypted id]
(len mismatch: isakmp 3132/ip 1472)
08:29:50.664388 IP (tos 0x20, ttl  58, id 37380,
offset 1480, flags [+, DF], proto: UDP (17), length:
1500) 80-96-3-4.customs.ro > vitacom.ro: udp
08:29:50.664415 IP (tos 0x20, ttl  58, id 37380,
offset 2960, flags [DF], proto: UDP (17), length: 200)
80-96-3-4.customs.ro > vitacom.ro: udp
08:29:50.764692 IP (tos 0x20, ttl  58, id 37381,
offset 0, flags [+, DF], proto: UDP (17), length:
1500) 80-96-3-4.customs.ro.isakmp > vitacom.ro.isakmp:
isakmp 1.0 msgid : phase 1 R ident[E]: [encrypted id]
(len mismatch: isakmp 3132/ip 1472)
08:29:50.764817 IP (tos 0x20, ttl  58, id 37381,
offset 1480, flags [+, DF], proto: UDP (17), length:
1500) 80-96-3-4.customs.ro > vitacom.ro: udp
08:29:50.764841 IP (tos 0x20, ttl  58, id 37381,
offset 2960, flags [DF], proto: UDP (17), length: 200)
80-96-3-4.customs.ro > vitacom.ro: udp
08:29:52.548199 IP (tos 0x0, ttl 126, id 44783, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:54.561470 IP (tos 0x0, ttl 126, id 44792, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:56.573707 IP (tos 0x0, ttl 126, id 44797, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:58.586943 IP (tos 0x0, ttl 126, id 44806, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:00.600155 IP (tos 0x0, ttl 126, id 44811, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:02.610479 IP (tos 0x0, ttl 126, id 44816, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:06.628764 IP (tos 0x0, ttl 126, id 44823, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:10.645383 IP (tos 0x0, ttl 126, id 44836, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:14.659680 IP (tos 0x0, ttl 126, id 44843, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:18.673115 IP (tos 0x0, ttl 126, id 44856, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:22.690527 IP (tos 0x0, ttl 126, id 44864, offset
0, flags [none], proto: UDP (17), length: 1352)
vitacom.ro.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]

25 packets captured
62 packets received by filter
0 packets dropped by kernel
 
Internal interface:
 tcpdump -v -i eth2 host 80.96.3.4
tcpdump: WARNING: eth2: no IPv4 address assigned
tcpdump: listening on eth2, link-type EN10MB
(Ethernet), capture size 96 bytes
08:29:50.354588 IP (tos 0x0, ttl 127, id 44760, offset
0, flags [none], proto: U                             
               DP (17), length: 344)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isakm                                             p
1.0 msgid : phase 1 I ident: [|sa]
08:29:50.364833 IP (tos 0x20, ttl  57, id 0, offset 0,
flags [DF], proto: UDP (1                             
               7), length: 160)
80-96-3-4.customs.ro.isakmp > 192.168.61.107.isakmp:
isakmp 1.0                                            
 msgid : phase 1 R ident: [|sa]
08:29:50.443578 IP (tos 0x0, ttl 127, id 44771, offset
0, flags [none], proto: U                             
               DP (17), length: 288)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isakm                                             p
1.0 msgid : phase 1 I ident: [|ke]
08:29:50.451809 IP (tos 0x20, ttl  57, id 0, offset 0,
flags [DF], proto: UDP (1                             
               7), length: 250)
80-96-3-4.customs.ro.isakmp > 192.168.61.107.isakmp:
isakmp 1.0                                            
 msgid : phase 1 R ident: [|ke]
08:29:50.535177 IP (tos 0x0, ttl 127, id 44778, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:52.548096 IP (tos 0x0, ttl 127, id 44783, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:54.561393 IP (tos 0x0, ttl 127, id 44792, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:56.573638 IP (tos 0x0, ttl 127, id 44797, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:29:58.586872 IP (tos 0x0, ttl 127, id 44806, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:00.600075 IP (tos 0x0, ttl 127, id 44811, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:02.610288 IP (tos 0x0, ttl 127, id 44816, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:06.628680 IP (tos 0x0, ttl 127, id 44823, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:10.645310 IP (tos 0x0, ttl 127, id 44836, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:14.659608 IP (tos 0x0, ttl 127, id 44843, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:18.673040 IP (tos 0x0, ttl 127, id 44856, offset
0, flags [none], proto: U                             
               DP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isak                                             mp
1.0 msgid : phase 1 I ident[E]: [encrypted id]
08:30:22.690456 IP (tos 0x0, ttl 127, id 44864, offset
0, flags [none], proto: UDP (17), length: 1352)
192.168.61.107.isakmp > 80-96-3-4.customs.ro.isakmp:
isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]

16 packets captured
37 packets received by filter
0 packets dropped by kernel
 
Thanks

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

renyi zsolt wrote:
> Well, it didn''t help. 
> Here is the whole tcpdump output from my external and
> my internal interface. Maybe you discover something I
> couldn''t.
I don''t see anything.

Please:

a) shorewall clear
b) Install your manual rules
c) Make sure that you can connect to your VPN server.
d) Capture the output of "shorewall dump"

Forward the output of "shorewall dump".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Finaly I got it working. I reinstalled the whole
thing, configured shorewall and tried to make the
connection. It worked!!! Then I continued to configure
my server and after adding some tcrules and tcclassess
the same thing happened. Does ip_mark have some
problem with fragmented packets? Anyway, if anybody
will have this problem try without traffic shaping. 

--- Tom Eastep <teastep@shorewall.net> wrote:
> Tom Eastep wrote:
> > renyi zsolt wrote:
> >> I already tried that and didn''t work. I tried
> >> inserting rules before shorewall''s rules to
> ACCEPT
> >> every connection from 80.96.3.4 to which I try to
> >> connect and I also tried SNAT-ing all traffic
> from the
> >> host I am connecting. I have an older firewall
> >> (firehol, I decided to change it to shorewall)
> and on
> >> that only udp dpt:2746 and udp:500 are nat-ed and
> it
> >> works on that. With shorewall no matter what I
> try the
> >> vpn gateway returns 2 fragmented udp packets
> which are
> >> Dropped somewhere.
> >>
> >> Here is a tcpdump output on my external
> interface:
> >> 17:37:27.241183 IP (tos 0x20, ttl 58, id 28157,
> offset
> >> 1480, flags [+, DF], proto: UDP (17), length:
> 1500)
> >> yyy > xxx: udp
> >> 17:37:27.241202 IP (tos 0x20, ttl 58, id 28157,
> offset
> >> 2960, flags [DF], proto: UDP (17), length: 184)
> yyy >
> >> xxx udp
> >>
> > 
> > They are dropped because they are the 2nd and 3rd
> fragments of 3. The first
> > fragment (offset 0) is missing?
> > 
> 
> One thing you might try -- rename the ipt_policy.so
> file in the iptables lib
> directory (usually in /lib/iptables/) and restart
> Shorewall. There are known
> problems with policy match and bridges but I hadn''t
> heard of any of those
> problems relating to fragments.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 
> > 
>
-------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support
> web services, security?
> Get stuff done quickly with pre-integrated
> technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1
> based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

renyi zsolt wrote:
> Finaly I got it working. I reinstalled the whole
> thing, configured shorewall and tried to make the
> connection. It worked!!! Then I continued to configure
> my server and after adding some tcrules and tcclassess
> the same thing happened. Does ip_mark have some
> problem with fragmented packets? Anyway, if anybody
> will have this problem try without traffic shaping. 
Is your kernel fully patched? IIRC, there was a problem with fragments and
bridges at one point (don''t recall which kernel version).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

I tried with 4 kernels, 2.6.9.???, 2.6.15.?? don''t
remember exactly which subversions. I didn''t patch
them myself, I only installed the fedora rpm''s.

--- Tom Eastep <teastep@shorewall.net> wrote:
> renyi zsolt wrote:
> > Finaly I got it working. I reinstalled the whole
> > thing, configured shorewall and tried to make the
> > connection. It worked!!! Then I continued to
> configure
> > my server and after adding some tcrules and
> tcclassess
> > the same thing happened. Does ip_mark have some
> > problem with fragmented packets? Anyway, if
> anybody
> > will have this problem try without traffic
> shaping. 
> 
> Is your kernel fully patched? IIRC, there was a
> problem with fragments and
> bridges at one point (don''t recall which kernel
> version).
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 
> >
-------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get
> the chance to share your
> opinions on IT & business topics through brief
> surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>
_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV