Hello All! :) Thanks for anyone who could help me with that one. First, I do not see any error, or any trouble with the default log level. I want to log in my corporate network through a contivity VPN. My firewall is now my Debian server (since yesterday), before I was using a small dlink box that was doing (wireless and routing) and my corporate laptop was connecting through Contivity VPN (from Nortel) and it was working flawlessly. So now the schema is: Internet --> Debian Box + shorewall ---> Switch --> Laptop Pretty simple to be honest and it's a dlink switch that is relatively no brainer ;) Everything is working except my Nortel PC Client to use with my ip phone. To gather the most log I could, I put debug in every settings and this is what I see when I use the ip phone Oct 1 07:54:16 ZoneDry kernel: Shorewall:nat:OUTPUT:IN= OUT=ppp0 SRC67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0 Oct 1 07:54:16 ZoneDry kernel: Shorewall:filter:OUTPUT:IN= OUT=ppp0 SRC67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0 Oct 1 07:54:16 ZoneDry kernel: Shorewall:mangle:POSTROUTING:IN= OUT=ppp0 SRC=67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0 Oct 1 07:54:16 ZoneDry kernel: Shorewall:nat:POSTROUTING:IN= OUT=ppp0 SRC67.71.188.26 DST=66.249.83.19 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5141 DF PROTO=TCP SPT=52336 DPT=80 WINDOW=5488 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:mangle:PREROUTING:IN=ppp0 OUTMAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:nat:PREROUTING:IN=ppp0 OUT= MACSRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:mangle:INPUT:IN=ppp0 OUT= MACSRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:filter:INPUT:IN=ppp0 OUT= MACSRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8000 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:mangle:PREROUTING:IN=ppp0 OUTMAC= SRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:nat:PREROUTING:IN=ppp0 OUT= MACSRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:mangle:INPUT:IN=ppp0 OUT= MACSRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 1 07:54:34 ZoneDry kernel: Shorewall:filter:INPUT:IN=ppp0 OUT= MACSRC=219.148.119.2 DST=67.71.188.26 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0 I think that this is not showing anything but the message on the PC Client is : The proxy is not responding. If a VPN client is needed to access the proxy, please start it right now. But I'm connected to the corporate network right now. I'm pretty sure also that I already resolved that issue in the past, but I don't remember how and where was the settings. If you need more settings conf files on my sides, just ask me. I use a simply ppp0 10.87.76.0/24 pour mon natting, rien d'autres de spécial. Miche ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Oct 01, 2007 at 07:56:58AM -0400, Michel Di Croci wrote:> > If you need more settings conf files on my sides, just ask me. I use a > simply ppp0 10.87.76.0/24 pour mon natting, rien d''autres de spécial. >http://www.shorewall.net/support.htm#Guidelines Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks Roberto.. I just remark that I've written in french ;) So... here's the info, since it's a connection issue (into a vpn connection) The only issue in the connection is that I'm unable to start my PC Client (which is the Nortel SIP Phone client) Here's my dump, hope it's not too big for you :.) Michel 2007/10/1, Roberto C. Sánchez <roberto@connexer.com>:> > On Mon, Oct 01, 2007 at 07:56:58AM -0400, Michel Di Croci wrote: > > > > If you need more settings conf files on my sides, just ask me. I use a > > simply ppp0 10.87.76.0/24 pour mon natting, rien d'autres de > spécial. > > > http://www.shorewall.net/support.htm#Guidelines > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFHAU425SXWIKfIlGQRAuSXAJ9keX4QJ5eqpYTsuNaAu2BOhNjtwQCaAuTj > cUNPrsyyuyfhy9UwoNtsMRo> =tfaf > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Michel Di Croci wrote:> Thanks Roberto.. I just remark that I''ve written in french ;) > > So... here''s the info, since it''s a connection issue (into a vpn connection) > > The only issue in the connection is that I''m unable to start my PC > Client (which is the Nortel SIP Phone client) > > Here''s my dump, hope it''s not too big for you :.)I can make only limited sense of this report. From the subject and the parenthetical phrase above, you claim that it is some sort of problem with a VPN connection. Yet the VPN client appears to be running on a laptop behind the firewall and your real problem seems to be with VOIP from "my PC" (which I guess is the laptop where the VPN client also runs?). You suggest that the VOIP should be going over the VPN but if so, what possible effect could the Shorewall box have? Although I don''t understand the problem well, one feature of the dump that I will note is that you seem to be rejecting UDP packets coming in on ppp0 with destination port 13552. That might have something to do with the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom, you''re really good and my english is not perfect: So the issue is: I''m using a SIP client to connect to a SIP server to allow me working with my phone # when I work from home. I don''t know what the shorewall box is doing but I know that before I was using the shorewall box, I was using a small dlink router which allow me without difficultties to access my corporate network I have accept all connection from local to the net and deny everything from the net to the local box. I think that this is normal security. Michel PS: THanks and I will try to go from there 2007/10/2, Tom Eastep <teastep@shorewall.net>:> > Michel Di Croci wrote: > > Thanks Roberto.. I just remark that I''ve written in french ;) > > > > So... here''s the info, since it''s a connection issue (into a vpn > connection) > > > > The only issue in the connection is that I''m unable to start my PC > > Client (which is the Nortel SIP Phone client) > > > > Here''s my dump, hope it''s not too big for you :.) > > I can make only limited sense of this report. From the subject and the > parenthetical phrase above, you claim that it is some sort of problem with > a > VPN connection. Yet the VPN client appears to be running on a laptop > behind > the firewall and your real problem seems to be with VOIP from "my PC" > (which > I guess is the laptop where the VPN client also runs?). You suggest that > the > VOIP should be going over the VPN but if so, what possible effect could > the > Shorewall box have? > > Although I don''t understand the problem well, one feature of the dump that > I > will note is that you seem to be rejecting UDP packets coming in on ppp0 > with destination port 13552. That might have something to do with the > problem. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
I just noticed that the log about the port 13552 is dating from two days ago. And as I am writing right now I''m trying to connect. So the 13552 issue might now be related and seems to be resolved. Michel 2007/10/2, Tom Eastep <teastep@shorewall.net>:> > Michel Di Croci wrote: > > Thanks Roberto.. I just remark that I''ve written in french ;) > > > > So... here''s the info, since it''s a connection issue (into a vpn > connection) > > > > The only issue in the connection is that I''m unable to start my PC > > Client (which is the Nortel SIP Phone client) > > > > Here''s my dump, hope it''s not too big for you :.) > > I can make only limited sense of this report. From the subject and the > parenthetical phrase above, you claim that it is some sort of problem with > a > VPN connection. Yet the VPN client appears to be running on a laptop > behind > the firewall and your real problem seems to be with VOIP from "my PC" > (which > I guess is the laptop where the VPN client also runs?). You suggest that > the > VOIP should be going over the VPN but if so, what possible effect could > the > Shorewall box have? > > Although I don''t understand the problem well, one feature of the dump that > I > will note is that you seem to be rejecting UDP packets coming in on ppp0 > with destination port 13552. That might have something to do with the > problem. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Michel Di Croci wrote:>So the issue is: > >I''m using a SIP client to connect to a SIP server to allow me >working with my phone # when I work from home. > >I don''t know what the shorewall box is doing but I know that before >I was using the shorewall box, I was using a small dlink router >which allow me without difficultties to access my corporate networkJust a thought, do you have the SIP helper module installed ? IIRC, later kernels have a SIP module which I think will probably mangle SIP packets. If your SIP client is doing something like STUN then having the packets mangled by the gateway will break it. I''ve not done SIP through such a system, by I do know that SIP works very nicely through a Linux based router without a SIP helper module loaded. IIRC it does full cone NAT and doesn''t mangle port numbers if avoidable - hence STUN works very well with it. I normally diagnose this problem by looking at the incoming SIP packets at the PBX (with Wireshark). The usual symptom of this, and also horrible routers like Zyxels that do symmetric NAT, is that the source port in the SIP message doesn''t match the source port of the packet. The giveaway in the first place is that you see register packets from the device, your PBX responds, then you see the same register packet after another 20s (or whatever the client is set to) - the client keeps trying to register, but the replies don''t make it back. Stabbing wildly around in the dark, if this is the case then try one of the following : 1) disable the SIP helper module 2) disable STUN (or whatever discovery protocol it uses) on the client - that would make it use the ''wrong'' internal address which will get ''fixed'' by the SIP helper. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
2007/10/3, Simon Hobson <linux@thehobsons.co.uk>:> > Michel Di Croci wrote: > > >So the issue is: > > > >I''m using a SIP client to connect to a SIP server to allow me > >working with my phone # when I work from home. > > > >I don''t know what the shorewall box is doing but I know that before > >I was using the shorewall box, I was using a small dlink router > >which allow me without difficultties to access my corporate network > > Just a thought, do you have the SIP helper module installed ? IIRC, > later kernels have a SIP module which I think will probably mangle > SIP packets. If your SIP client is doing something like STUN then > having the packets mangled by the gateway will break it. > > I''ve not done SIP through such a system, by I do know that SIP works > very nicely through a Linux based router without a SIP helper module > loaded. IIRC it does full cone NAT and doesn''t mangle port numbers if > avoidable - hence STUN works very well with it. > > > I normally diagnose this problem by looking at the incoming SIP > packets at the PBX (with Wireshark). The usual symptom of this, and > also horrible routers like Zyxels that do symmetric NAT, is that the > source port in the SIP message doesn''t match the source port of the > packet. The giveaway in the first place is that you see register > packets from the device, your PBX responds, then you see the same > register packet after another 20s (or whatever the client is set to) > - the client keeps trying to register, but the replies don''t make it > back. > > Stabbing wildly around in the dark, if this is the case then try one > of the following : > > 1) disable the SIP helper module > 2) disable STUN (or whatever discovery protocol it uses) on the > client - that would make it use the ''wrong'' internal address which > will get ''fixed'' by the SIP helper. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersI updated the Nortel VPN client to the version 6.2 (I was on 6.1) and everything is working fine right now. So you were right, the issue was not in shorewall and I really doubt it was there :) Michel Thanks and have a nice day ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/