This is Take-2: I don''t think my original message was received, considering it hasn''t shown up on the sourceforge web interface and no copy was mailed to me Ignore it if its a duplicate. Hi, I have a few questions about the inner workings of netfilter (a graphical layout of my network setup @ https://aequorin.homeunix.net:62389/local/media/network-graph.png) 1) These are the syslog entries for some simple connection tests. Shorewall/netfilter has been set to record all stateful connections SSH is recognized as phys(eth0) -> $FW traffic. This is because PHYSIN is set. Why is this? Why is SSH not lan(br0) -> $FW ? You mentioned that unless the physdev flag is set, shorewall only cares about lan(br0) <-> $FW Why does PHYSIN get set for SSH ? ping(server->lan) Sep 14 23:42:45 veridian kernel: [618269.196281] Shorewall:fw2lan:ACCEPT:IN= OUT=br0 SRC=192.168.1.6 DST=192.168.1.255 LEN=185 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=165 ssh Sep 14 23:45:15 veridian kernel: [618418.797081] Shorewall:phys2fw:ACCEPT:IN=br0 OUT= PHYSIN=eth0 MAC=00:01:29:f5:f0:26:00:18:01:5b:a8:72:08:00 SRC=207.172.176.168 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=253 ID=32555 DF PROTO=TCP SPT=45664 DPT=48232 WINDOW=8192 RES=0x00 SYN URGP=0 openvpn (3 types) Sep 14 23:46:54 veridian kernel: [618517.248260] Shorewall:vpn2phys:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.1.225 DST=192.168.1.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=33 PROTO=UDP SPT=137 DPT=137 LEN=76 Sep 14 23:46:53 veridian kernel: [618516.835299] Shorewall:fw2lan:ACCEPT:IN= OUT=br0 SRC=192.168.1.6 DST=192.168.1.255 LEN=185 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=165 Sep 14 23:46:59 veridian kernel: [618522.262747] Shorewall:phys2vpn:ACCEPT:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=tap0 SRC=192.168.1.1 DST=239.255.255.250 LEN=429 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=409 ping(vpn client->server) Sep 14 23:50:50 veridian kernel: [618753.216549] Shorewall:lan2fw:REJECT:IN=br0 OUT= PHYSIN=tap0 MAC=00:01:29:f5:f0:26:00:ff:09:52:47:a0:08:00 SRC=192.168.1.225 DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=101 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=3 ping(vpn server->client) Sep 14 23:52:34 veridian kernel: [618857.273217] Shorewall:fw2lan:ACCEPT:IN= OUT=br0 SRC=192.168.1.6 DST=192.168.1.255 LEN=185 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=165 ping(vpn client->lan) Sep 14 23:55:39 veridian kernel: [619041.782974] Shorewall:vpn2phys:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.1.225 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=123 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=6 2) How do the PHYSIN/PHYSOUT ''flags'' get set? What criteria has to be met. Does the bridge interface set these flags ? 3) Is the following a correct generalization of traffic pasing through netfilter: (normal, no vpn) incoming: phys(eth0) -> $FW outgoing: $FW -> lan(br) (vpn) outgoing: phys(eth0) -> vpn(tap0) ---then--- $FW -> lan(br0) incoming: vpn(tap0) -> phys(eth0) ---or----- lan(br0) -> $FW so outgoing vpn traffic has to pass through netfilter twice, first phys(eth0) -> vpn(tap0), then $FW -> lan(br0) while incoming vpn traffic passes through netfilter once, but goes one of two possible ''routes'' depending on the destination ((vpn client -> lan) vs (vpn client -> vpn server)) 4) The shorewall docs mention that the lan(br0) zone exists b/c it is not possible to do $FW->vpn(tap0) or $FW->phys(eth0) Is this because netfilter in kernels >=2.6.20 cannot recognize $FW->vpn(tap0) or $FW->phys(eth0) ? ... because I havent seens any traffic that would match $FW->vpn(tap0) or $FW->phys(eth0). much appreciated, orbisvicis ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/