Discussion:
[Shorewall-users] shorewall & ipsec rules with "FORWARD:DROP" packets
Adam D
2008-05-29 05:31:41 UTC
Permalink
I have been working really hard configuring and researching very
extensively, trying to figure why we are getting
"Shorewall:FORWARD:DROP" packets. IPSEC works just fine without the
iptable rules created by our shorewall configs but when starting
shorewall and creating the iptables I noticed the packets are dropped.
I know it is a config situation but I am totally racking my brain as to
what config maybe causing the issue.


Here are some details of what we have.


shorewall debug restart 2> /tmp/trace
Compiling...
Initializing...
Determining Zones...
IPv4 Zones: inet pflan
IPSEC Zones: baja bcvpn sdvpn
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Validating Policy file...
Determining Hosts in Zones...
inet Zone: eth0:0.0.0.0/0
pflan Zone: eth1:0.0.0.0/0
baja Zone: ipsec+:192.168.90.0/24
bcvpn Zone: ipsec+:192.168.0.0/24
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Common Rules
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/tunnels...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Masquerading/SNAT
Compiling Traffic Control Rules...
Compiling Rule Activation...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Processing /etc/shorewall/params ...
Restarting Shorewall....
Initializing...
Clearing Traffic Control/QOS
Deleting user chains...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up SMURF control...
Setting up Black List...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up SYN Flood Protection...
Setting up IPSEC management...
Setting up Rules...
Setting up Tunnels...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
Activating Rules...
done.


see attached file for /sbin/shorewall dump > /tmp/status.txt


I really do hope I can receive some extra help with this


If there is anything else I can submit to help trouble shoot with me,
please let me know.


-Adam
Adam D
2008-05-29 07:14:38 UTC
Permalink
Shortly after posting to the mailing list I revisited a few web pages
and check my configurations and found I had the vpn zone backwards and
that was why the firewall kept dropping the packets. I knew it was
something simple and it is now working perfectly with both sides of the
vpn working great.


-Adam
Post by Adam D
I have been working really hard configuring and researching very
extensively, trying to figure why we are getting
"Shorewall:FORWARD:DROP" packets. IPSEC works just fine without the
iptable rules created by our shorewall configs but when starting
shorewall and creating the iptables I noticed the packets are dropped.
I know it is a config situation but I am totally racking my brain as to
what config maybe causing the issue.
Here are some details of what we have.
shorewall debug restart 2> /tmp/trace
Compiling...
Initializing...
Determining Zones...
IPv4 Zones: inet pflan
IPSEC Zones: baja bcvpn sdvpn
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Validating Policy file...
Determining Hosts in Zones...
inet Zone: eth0:0.0.0.0/0
pflan Zone: eth1:0.0.0.0/0
baja Zone: ipsec+:192.168.90.0/24
bcvpn Zone: ipsec+:192.168.0.0/24
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Common Rules
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/tunnels...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Masquerading/SNAT
Compiling Traffic Control Rules...
Compiling Rule Activation...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Processing /etc/shorewall/params ...
Restarting Shorewall....
Initializing...
Clearing Traffic Control/QOS
Deleting user chains...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up SMURF control...
Setting up Black List...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up SYN Flood Protection...
Setting up IPSEC management...
Setting up Rules...
Setting up Tunnels...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
Activating Rules...
done.
see attached file for /sbin/shorewall dump > /tmp/status.txt
I really do hope I can receive some extra help with this
If there is anything else I can submit to help trouble shoot with me,
please let me know.
-Adam
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Loading...