I have been working really hard configuring and researching very extensively, trying to figure why we are getting "Shorewall:FORWARD:DROP" packets. IPSEC works just fine without the iptable rules created by our shorewall configs but when starting shorewall and creating the iptables I noticed the packets are dropped. I know it is a config situation but I am totally racking my brain as to what config maybe causing the issue. Here are some details of what we have. shorewall debug restart 2> /tmp/trace Compiling... Initializing... Determining Zones... IPv4 Zones: inet pflan IPSEC Zones: baja bcvpn sdvpn Firewall Zone: fw Validating interfaces file... Validating hosts file... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Validating Policy file... Determining Hosts in Zones... inet Zone: eth0:0.0.0.0/0 pflan Zone: eth1:0.0.0.0/0 baja Zone: ipsec+:192.168.90.0/24 bcvpn Zone: ipsec+:192.168.0.0/24 Deleting user chains... Compiling /etc/shorewall/routestopped ... Creating Interface Chains... Compiling Common Rules Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling IP Forwarding... Compiling /etc/shorewall/rules... Compiling /etc/shorewall/tunnels... Compiling Actions... Compiling /usr/share/shorewall/action.Drop for Chain Drop... Compiling /usr/share/shorewall/action.Reject for Chain Reject... Compiling /etc/shorewall/policy... Compiling Masquerading/SNAT Compiling Traffic Control Rules... Compiling Rule Activation... Shorewall configuration compiled to /var/lib/shorewall/.restart Processing /etc/shorewall/params ... Restarting Shorewall.... Initializing... Clearing Traffic Control/QOS Deleting user chains... Enabling Loopback and DNS Lookups Creating Interface Chains... Setting up SMURF control... Setting up Black List... Setting up ARP filtering... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up SYN Flood Protection... Setting up IPSEC management... Setting up Rules... Setting up Tunnels... Setting up Actions... Creating action chain Drop Creating action chain Reject Creating action chain dropBcast Creating action chain dropInvalid Creating action chain dropNotSyn Applying Policies... Setting up Masquerading/SNAT... Activating Rules... done. see attached file for /sbin/shorewall dump > /tmp/status.txt I really do hope I can receive some extra help with this If there is anything else I can submit to help trouble shoot with me, please let me know. -Adam ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Shortly after posting to the mailing list I revisited a few web pages and check my configurations and found I had the vpn zone backwards and that was why the firewall kept dropping the packets. I knew it was something simple and it is now working perfectly with both sides of the vpn working great. -Adam Adam D wrote:> I have been working really hard configuring and researching very > extensively, trying to figure why we are getting > "Shorewall:FORWARD:DROP" packets. IPSEC works just fine without the > iptable rules created by our shorewall configs but when starting > shorewall and creating the iptables I noticed the packets are dropped. > I know it is a config situation but I am totally racking my brain as to > what config maybe causing the issue. > > > Here are some details of what we have. > > > shorewall debug restart 2> /tmp/trace > Compiling... > Initializing... > Determining Zones... > IPv4 Zones: inet pflan > IPSEC Zones: baja bcvpn sdvpn > Firewall Zone: fw > Validating interfaces file... > Validating hosts file... > Pre-processing Actions... > Pre-processing /usr/share/shorewall/action.Drop... > Pre-processing /usr/share/shorewall/action.Reject... > Validating Policy file... > Determining Hosts in Zones... > inet Zone: eth0:0.0.0.0/0 > pflan Zone: eth1:0.0.0.0/0 > baja Zone: ipsec+:192.168.90.0/24 > bcvpn Zone: ipsec+:192.168.0.0/24 > Deleting user chains... > Compiling /etc/shorewall/routestopped ... > Creating Interface Chains... > Compiling Common Rules > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling IP Forwarding... > Compiling /etc/shorewall/rules... > Compiling /etc/shorewall/tunnels... > Compiling Actions... > Compiling /usr/share/shorewall/action.Drop for Chain Drop... > Compiling /usr/share/shorewall/action.Reject for Chain Reject... > Compiling /etc/shorewall/policy... > Compiling Masquerading/SNAT > Compiling Traffic Control Rules... > Compiling Rule Activation... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Processing /etc/shorewall/params ... > Restarting Shorewall.... > Initializing... > Clearing Traffic Control/QOS > Deleting user chains... > Enabling Loopback and DNS Lookups > Creating Interface Chains... > Setting up SMURF control... > Setting up Black List... > Setting up ARP filtering... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Accept Source Routing... > Setting up SYN Flood Protection... > Setting up IPSEC management... > Setting up Rules... > Setting up Tunnels... > Setting up Actions... > Creating action chain Drop > Creating action chain Reject > Creating action chain dropBcast > Creating action chain dropInvalid > Creating action chain dropNotSyn > Applying Policies... > Setting up Masquerading/SNAT... > Activating Rules... > done. > > > see attached file for /sbin/shorewall dump > /tmp/status.txt > > > I really do hope I can receive some extra help with this > > > If there is anything else I can submit to help trouble shoot with me, > please let me know. > > > -Adam > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/