Dear all, I am running a quite non-standard set-up, where I need to have multiple zones on one of the bridge ports. Simplified view of my network is: NAS/shorewall lan(bridge) -- eth0 --> lan/router (192.168.0.1) --> internet (DSL) 192.168.0.5 \ tap0 --> vpn I currently have the following config files: ### interfaces ### #ZONE INTERFACE BROADCAST OPTIONS net lan detect bridge,dhcp,nosmurfs,tcpflags vpn lan:tap0 detect ### hosts ### #ZONE HOST(S) OPTIONS lan lan:192.168.0.0/24 ### zones ### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 lan:net ipv4 vpn:net bport ### policy ### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW all ACCEPT lan $FW ACCEPT lan vpn ACCEPT lan net ACCEPT vpn $FW ACCEPT vpn lan ACCEPT vpn net ACCEPT all all REJECT info ### tunnels ### #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver net 0.0.0.0/0 While this setup works (kind of), I am unable to filter traffic between lan and vpn/net zones separately (extract from rules created by shorewall below): -A INPUT -i lan -j lan_in -A FORWARD -i lan -j lan_fwd -A OUTPUT -o lan -j lan_out -A lan_frwd -o lan -j lan2net -A lan_fwd -m conntrack --ctstate NEW,INVALID -j dynamic -A lan_fwd -m conntrack --ctstate NEW,INVALID -j smurfs -A lan_fwd -p udp --dport 67:68 -o lan -j ACCEPT -A lan_fwd -p tcp -j tcpflags -A lan_fwd -s 192.168.0.0/24 -j lan_frwd -A lan_fwd -m physdev --physdev-in tap0 -j vpn_frwd -A lan_fwd -j net_frwd -A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic -A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs -A lan_in -p udp --dport 67:68 -j ACCEPT -A lan_in -p tcp -j tcpflags -A lan_in -s 192.168.0.0/24 -j lan2fw -A lan_in -m physdev --physdev-in tap0 -j vpn2fw -A lan_in -j net2fw -A lan_out -p udp --dport 67:68 -j ACCEPT -A lan_out -d 192.168.0.0/24 -j fw2lan -A lan_out -j fw2net In the lan_frwd chain there are no --physdev-out nor -d entries to divide forwarded traffic between to lan2vpn or lan2net. Similarly lan_out just specifies fw2net, without taking into account fw2lan or fw2vpn. Anything I am doing wrong ? (and yes, I know it''s generally a bad idea to have lan and net on the same iface, but in my network setup - I have no choice - and my tiny server has only one eth port) Best regards, Radek -- Radoslaw Kamil Ejsmont, Ph.D. http://radoslaw.ejsmont.net ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Just a small clarification: my box acts as one-armed router with a bridge between ethernet (connected to LAN and WAN) and vpn. If you need the complete shorewall dump, just let me know (some more VPNs and secondary wlan0 WAN link out there). As an option I am considering to setup any filtering I would need in rules for lan2net, but that''s kind of a hack. I''d much better have the shorewall infrastructure set-up correctly. Cheers -- Radoslaw Kamil Ejsmont, Ph.D. http://radoslaw.ejsmont.net On 20 Dec 2012, at 12:30, Radoslaw Kamil Ejsmont <radoslaw@ejsmont.net> wrote:> Dear all, > > I am running a quite non-standard set-up, where I need to have multiple zones on one of the bridge ports. > Simplified view of my network is: > > NAS/shorewall > lan(bridge) -- eth0 --> lan/router (192.168.0.1) --> internet (DSL) > 192.168.0.5 \ tap0 --> vpn > > > I currently have the following config files: > > ### interfaces ### > > #ZONE INTERFACE BROADCAST OPTIONS > net lan detect bridge,dhcp,nosmurfs,tcpflags > vpn lan:tap0 detect > > ### hosts ### > > #ZONE HOST(S) OPTIONS > lan lan:192.168.0.0/24 > > ### zones ### > > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > lan:net ipv4 > vpn:net bport > > ### policy ### > > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > $FW all ACCEPT > lan $FW ACCEPT > lan vpn ACCEPT > lan net ACCEPT > vpn $FW ACCEPT > vpn lan ACCEPT > vpn net ACCEPT > all all REJECT info > > ### tunnels ### > > #TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpnserver net 0.0.0.0/0 > > > While this setup works (kind of), I am unable to filter traffic between lan and vpn/net zones separately (extract from rules created by shorewall below): > > -A INPUT -i lan -j lan_in > -A FORWARD -i lan -j lan_fwd > -A OUTPUT -o lan -j lan_out > > -A lan_frwd -o lan -j lan2net > -A lan_fwd -m conntrack --ctstate NEW,INVALID -j dynamic > -A lan_fwd -m conntrack --ctstate NEW,INVALID -j smurfs > -A lan_fwd -p udp --dport 67:68 -o lan -j ACCEPT > -A lan_fwd -p tcp -j tcpflags > -A lan_fwd -s 192.168.0.0/24 -j lan_frwd > -A lan_fwd -m physdev --physdev-in tap0 -j vpn_frwd > -A lan_fwd -j net_frwd > -A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic > -A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs > -A lan_in -p udp --dport 67:68 -j ACCEPT > -A lan_in -p tcp -j tcpflags > -A lan_in -s 192.168.0.0/24 -j lan2fw > -A lan_in -m physdev --physdev-in tap0 -j vpn2fw > -A lan_in -j net2fw > -A lan_out -p udp --dport 67:68 -j ACCEPT > -A lan_out -d 192.168.0.0/24 -j fw2lan > -A lan_out -j fw2net > > In the lan_frwd chain there are no --physdev-out nor -d entries to divide forwarded traffic between to lan2vpn or lan2net. Similarly lan_out just specifies fw2net, without taking into account fw2lan or fw2vpn. > > Anything I am doing wrong ? (and yes, I know it''s generally a bad idea to have lan and net on the same iface, but in my network setup - I have no choice - and my tiny server has only one eth port) > > Best regards, > > Radek > > -- > Radoslaw Kamil Ejsmont, Ph.D. > http://radoslaw.ejsmont.net > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/20/2012 03:30 AM, Radoslaw Kamil Ejsmont wrote:> > Anything I am doing wrong ? (and yes, I know it''s generally a bad idea > to have lan and net on the same iface, but in my network setup - I have > no choice - and my tiny server has only one eth port) >What you are doing wrong, of course, is trying to run this silly setup. But see http://www.shorewall.net/Multiple_Zones.html#OneArmed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Dear Tom, That setup does not take my bridge into account… And I do have a bridge between ethernet and VPN… Cheers, Radek -- Radoslaw Kamil Ejsmont, Ph.D. http://radoslaw.ejsmont.net On 20 Dec 2012, at 16:54, Tom Eastep <teastep@shorewall.net> wrote:> On 12/20/2012 03:30 AM, Radoslaw Kamil Ejsmont wrote: > >> >> Anything I am doing wrong ? (and yes, I know it''s generally a bad idea >> to have lan and net on the same iface, but in my network setup - I have >> no choice - and my tiny server has only one eth port) >> > > What you are doing wrong, of course, is trying to run this silly setup. > But see http://www.shorewall.net/Multiple_Zones.html#OneArmed. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/20/2012 08:03 AM, Radoslaw Kamil Ejsmont wrote:> Dear Tom, > > That setup does not take my bridge into account… And I do have a bridge > between ethernet and VPN… >But it *does* show you how to have your ''net'' and ''lan'' zones on the same interface, which is what you asked for. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
That I have figured out (see my configs) and it works. What does not work is control of packet flow from lan to vpn. See the config in my first post. And net/lan are configured there just like in the example you have provided. -- Radoslaw Kamil Ejsmont, Ph.D. http://radoslaw.ejsmont.net On 20 Dec 2012, at 17:09, Tom Eastep <teastep@shorewall.net> wrote:> On 12/20/2012 08:03 AM, Radoslaw Kamil Ejsmont wrote: >> Dear Tom, >> >> That setup does not take my bridge into account… And I do have a bridge >> between ethernet and VPN… >> > > But it *does* show you how to have your ''net'' and ''lan'' zones on the > same interface, which is what you asked for. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/20/2012 08:09 AM, Tom Eastep wrote:> On 12/20/2012 08:03 AM, Radoslaw Kamil Ejsmont wrote: >> Dear Tom, >> >> That setup does not take my bridge into account… And I do have a bridge >> between ethernet and VPN… >> > > But it *does* show you how to have your ''net'' and ''lan'' zones on the > same interface, which is what you asked for. >The key thing you are missing is that you are not using ''eth0'' when defining ''net'' and ''lan''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Tried that - eth0 is a bridge port. If I do, then policies between lan/net and vpn don''t work - shorewall complains about vpn and lan/net not being on the same bridge device. -- Radoslaw Kamil Ejsmont, Ph.D. http://radoslaw.ejsmont.net On 20 Dec 2012, at 17:16, Tom Eastep <teastep@shorewall.net> wrote:> On 12/20/2012 08:09 AM, Tom Eastep wrote: >> On 12/20/2012 08:03 AM, Radoslaw Kamil Ejsmont wrote: >>> Dear Tom, >>> >>> That setup does not take my bridge into account… And I do have a bridge >>> between ethernet and VPN… >>> >> >> But it *does* show you how to have your ''net'' and ''lan'' zones on the >> same interface, which is what you asked for. >> > > The key thing you are missing is that you are not using ''eth0'' when > defining ''net'' and ''lan''. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/20/2012 08:22 AM, Radoslaw Kamil Ejsmont wrote:> Tried that - eth0 is a bridge port. If I do, then policies between > lan/net and vpn don''t work - shorewall complains about vpn and lan/net > not being on the same bridge device.zones: fw firewall world ipv4 net:world bport lan:net bport vpn:world bport interfaces: FORMAT 2 world br0 bridge net br0:eth0 vpn br0:tap0 hosts: lan eth0:192.168.0.0/24 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Thanks! This sets up traffic like I want it. The only thing left - tunnels complain about zone net: # shorewall check -r /etc/shorewall.testing Checking... Processing /etc/shorewall.testing/params ... Processing /etc/shorewall.testing/shorewall.conf... Loading Modules... Checking /etc/shorewall.testing/zones... Checking /etc/shorewall.testing/interfaces... Checking /etc/shorewall.testing/hosts... Determining Hosts in Zones... Locating Action Files... Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... Checking /usr/share/shorewall/action.Invalid for chain Invalid... Checking /usr/share/shorewall/action.NotSyn for chain NotSyn... Checking /usr/share/shorewall/action.Reject for chain Reject... Checking /etc/shorewall.testing/policy... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking /etc/shorewall.testing/providers... Checking /etc/shorewall.testing/tcrules... Checking /etc/shorewall.testing/masq... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall.testing/rules... Checking /etc/shorewall.testing/tunnels... ERROR: Invalid tunnel ZONE (net) : /etc/shorewall.testing/tunnels (line 16) if I replace it with world, it works fine, but tunnel rules (placed in world2fw) will never be processed: -A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic -A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs -A lan_in -p udp --dport 67:68 -j ACCEPT -A lan_in -p tcp -j tcpflags -A lan_in -m physdev --physdev-in eth0 -j eth0_in -A lan_in -m physdev --physdev-in vf-ssw-vpn -j vpn2fw -A lan_in -j world2fw -A eth0_in -m conntrack --ctstate NEW,INVALID -j dynamic -A eth0_in -s 192.168.0.0/24 -j lan2fw -A eth0_in -j net2fw -A net2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A net2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "SSH" -A net2fw -p 6 --dport 636 -j ACCEPT -m comment --comment "LDAPS" -A net2fw -p 17 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN" -A net2fw -j Reject -A net2fw -j LOG --log-level 6 --log-prefix "Shorewall:net2fw:REJECT:" -A net2fw -g reject -A world2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A world2fw -p udp --dport 2001 -s 85.214.209.171 -j ACCEPT -A world2fw -p udp --dport 2002 -s 85.214.204.137 -j ACCEPT -A world2fw -p udp --dport 1194 -j ACCEPT -A world2fw -j Reject I guess unless I specify policy net -> fw CONTINUE, right? Thanks! You have helped me a lot! -- Radoslaw Kamil Ejsmont, Ph.D. http://radoslaw.ejsmont.net On 20 Dec 2012, at 17:30, Tom Eastep <teastep@shorewall.net> wrote:> On 12/20/2012 08:22 AM, Radoslaw Kamil Ejsmont wrote: >> Tried that - eth0 is a bridge port. If I do, then policies between >> lan/net and vpn don''t work - shorewall complains about vpn and lan/net >> not being on the same bridge device. > > zones: > > fw firewall > world ipv4 > net:world bport > lan:net bport > vpn:world bport > > interfaces: > > FORMAT 2 > world br0 bridge > net br0:eth0 > vpn br0:tap0 > > hosts: > > lan eth0:192.168.0.0/24 > > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/20/2012 08:58 AM, Radoslaw Kamil Ejsmont wrote:> Thanks! This sets up traffic like I want it. The only thing left - > tunnels complain about zone net: > > # shorewall check -r /etc/shorewall.testing > Checking... > Processing /etc/shorewall.testing/params ... > Processing /etc/shorewall.testing/shorewall.conf... > Loading Modules... > Checking /etc/shorewall.testing/zones... > Checking /etc/shorewall.testing/interfaces... > Checking /etc/shorewall.testing/hosts... > Determining Hosts in Zones... > Locating Action Files... > Checking /usr/share/shorewall/action.Drop for chain Drop... > Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... > Checking /usr/share/shorewall/action.Invalid for chain Invalid... > Checking /usr/share/shorewall/action.NotSyn for chain NotSyn... > Checking /usr/share/shorewall/action.Reject for chain Reject... > Checking /etc/shorewall.testing/policy... > Adding Anti-smurf Rules > Adding rules for DHCP > Checking TCP Flags filtering... > Checking Kernel Route Filtering... > Checking Martian Logging... > Checking /etc/shorewall.testing/providers... > Checking /etc/shorewall.testing/tcrules... > Checking /etc/shorewall.testing/masq... > Checking MAC Filtration -- Phase 1... > Checking /etc/shorewall.testing/rules... > Checking /etc/shorewall.testing/tunnels... > ERROR: Invalid tunnel ZONE (net) : /etc/shorewall.testing/tunnels > (line 16) > > if I replace it with world, it works fine, but tunnel rules (placed in > world2fw) will never be processed: > > -A lan_in -m conntrack --ctstate NEW,INVALID -j dynamic > -A lan_in -m conntrack --ctstate NEW,INVALID -j smurfs > -A lan_in -p udp --dport 67:68 -j ACCEPT > -A lan_in -p tcp -j tcpflags > -A lan_in -m physdev --physdev-in eth0 -j eth0_in > -A lan_in -m physdev --physdev-in vf-ssw-vpn -j vpn2fw > -A lan_in -j world2fw > > -A eth0_in -m conntrack --ctstate NEW,INVALID -j dynamic > -A eth0_in -s 192.168.0.0/24 -j lan2fw > -A eth0_in -j net2fw > > -A net2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > -A net2fw -p 6 --dport 22 -j ACCEPT -m comment --comment "SSH" > -A net2fw -p 6 --dport 636 -j ACCEPT -m comment --comment "LDAPS" > -A net2fw -p 17 --dport 1194 -j ACCEPT -m comment --comment "OpenVPN" > -A net2fw -j Reject > -A net2fw -j LOG --log-level 6 --log-prefix "Shorewall:net2fw:REJECT:" > -A net2fw -g reject > > -A world2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > -A world2fw -p udp --dport 2001 -s 85.214.209.171 -j ACCEPT > -A world2fw -p udp --dport 2002 -s 85.214.204.137 -j ACCEPT > -A world2fw -p udp --dport 1194 -j ACCEPT > -A world2fw -j Reject > > I guess unless I specify policy net -> fw CONTINUE, right? >That''s correct. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d