matt darfeuille | 2 Apr 15:24 2015
Picon

uninstall script

Hi,

While uninstalling shorewall6-4.6.7 and shorewall-core-4.6.7 I get 
the following warning respectively:

WARNING: Shorewall6 Version 4.6.7 is not installed
Uninstalling shorewall6
Shorewall6 Uninstalled
Uninstalling shorewall 4.6.7
Shorewall Uninstalled
WARNING: Shorewall Core Version 4.6.7 is not installed
Uninstalling Shorewall Core
Shorewall Core Uninstalled

The warning for shorewall6-4.6.7 is triggerd by the line 139 due to 
the missing "E" in the variable name ${SHAREDIR}.

For uninstalling shorewall* my assumption is as follows:
First uninstalling shorewall[6]-init; then shorewall[6]-lite or 
shorewall[6]-4.6.7 and then shorewall-core.

Based on that assumption, the warning triggered by shorewall-core is 
caused by shorewall-4.6.7 on line 200 which removes the directory 
$LIBEXECDIR/shorewall where it should only be "rmed" when $LIBEXECDIR 
has not the same path as $SHAREDIR.
Adding at the start of  the line:
[ ${LIBEXECDIR} = ${SHAREDIR} ] || rm ... 
makes the warning disappear.

Modified scripts attached.
(Continue reading)

Lennart Sorensen | 31 Mar 23:33 2015
Picon
Picon

How to override shorewall.conf location

It seems that specifying an alternate config directory works for
everything except shorewall.conf

Given that some of the global settings in tehre might be things you
would want to try changes to, it seems very inconvinient to not be able
to try an alternate shorewall.conf file as part of a new config.

At least I haven't found any commandline argument or environment variable
or anything else that I can use to convince shorewall that I really
really realy do NOT want it to look at /etc/shorewall/shorewall.conf

Did I miss something?

If this isn't supported, would you accept a patch to fix this
inconsistency?

--

-- 
Len Sorensen

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Marko Weber | 8000 | 31 Mar 22:04 2015
Picon

log interpreting help needed


hello list,

kernel: Shorewall:_net-fw::IN=eth0 OUT= 
MAC=d4:3d:7e:ec:e1:07:00:26:88:75:df:19:08:00 SRC=87.142.17.90 
DST=46.4.xx.xxx LEN=80 TOS=0x00 PREC=0x00 TTL=55 ID=38334 PROTO=ICMP 
TYPE=3 CODE=1 [SRC=46.4.xx.xxx DST=87.142.17.90 LEN=52 TOS=0x00 
PREC=0x00 TTL=53 ID=4374 DF PROTO=TCP SPT=80 DPT=56578 WINDOW=521 
RES=0x00 ACK FIN URGP=0 ]

i find this entries in my logs.
What does this mean? I dont understand at all. A client connects via 
http on port 80, then webserver is checking if client is reachable on 
his outgoing port of his request?

Can some help me to read this correct or interpret this correct?

thanks

marko

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Marco Giacomelli | 30 Mar 21:41 2015
Picon

Multi ISP Routing issues

Hi everyone

I'm sorry I didn't answer to the answers to my previous problem, in the end I just reinstalled my whole server, something was faulty and that did fix the issue that prevented shorewall from starting.

Although shorewall starts, now it still doesn't work like I want it to.

Now I'm running Shorewall 4.5.21.6

What should happen:
systems on the network (interface em1) should be able to browse the internet through either the modem on p1p1 or the one on p1p2, load balanced with extra rules for ssh to always go on p1p2

What happens:
computers on the network aren't able to navigate at all.

I included the shorewall dump, also I got the following message right away in the console after running the command:
grep: /proc/net/nf_conntrack: No such file or directory

I attempted a connection fro 192.168.100.28 to 83.149.170.194 (a web server on the internet that I can normally reach), the connection failed, among everything else.

I hope you guys can help me, thanks for your time.
Attachment (shorewalldump.txt.gz): application/x-gzip, 8 KiB
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Hill, John | 27 Mar 19:10 2015

auto bl dnat

Can someone point me to information on using and event with a dnat action?

I thought it said any rule action but I screwed it up trying.

Either an auto bl or a knock would be what I need?

Shorewall 4.6.7

Thanks

John HIll

 

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Nico Pagliaro | 26 Mar 19:52 2015
Picon

LSM configuration

Hi, I am trying to have LSM working but I cant.
I cant get my .status files change after I disconnect the UTP cable

Shorewall 4.6.7 / centos 6

I followed ths doc in http://shorewall.net/MultiISP.html#lsm but doesnt work
(I have change a line that I think is wrong in the doc:
/usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsmfor this /usr/sbin/lsm -c /etc/lsm/lsm.conf >> /var/log/lsmWell, here is my conf:eth0=LANeth1=ISP1 (Static IP)eth2=ISP2 (dynamic IP)
/etc/shorewall/paramsANTEL=eth1 ADSL=ppp0

/etc/shorewall/isusable

local status=0 # # Read the status file (if any) created by /etc/lsm/script # [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status) return $status


/etc/shorewall/lib.private

start_lsm() {
   #
   # Kill any existing lsm process(es)
   #
   killall lsm 2> /dev/null
   #
   # Create the Shorewall-specific part of the LSM configuration. This file is
   # included by /etc/lsm/lsm.conf
   #
   # Avvanta has a static gateway while Comcast's is dynamic
   #
   cat <<EOF > /etc/lsm/shorewall.conf
connection {
    name=ANTEL
    checkip=201.217.149.169
    device=$ANTEL
    ttl=2
}

EOF
   #
   # Since LSM assumes that interfaces start in the 'up' state, remove any
   # existing status files that might have an interface in the down state
   #
   rm -f /var/lib/shorewall/*.status
   #
   # Run LSM -- by default, it forks into the background
   #
   /usr/sbin/lsm -c /etc/lsm/lsm.conf >> /var/log/lsm

}

/etc/shorewall/started

if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
    start_lsm
fi


/etc/shorewall/restored

if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
   start_lsm
fi


/etc/lsm/lsm.conf

debug=9

#
# Defaults for the connection entries
#
#
# Defaults for the connection entries
#
defaults {
  name=defaults
  checkip=127.0.0.1
  eventscript=/etc/lsm/script
  max_packet_loss=20
  max_successive_pkts_lost=7
  min_packet_loss=5
  min_successive_pkts_rcvd=10
  interval_ms=2000
  timeout_ms=2000
  check_arp=0
  sourceip=
  ttl=0
}

include /etc/lsm/shorewall.conf

/etc/lsm/script

STATE=${1}
NAME=${2}
CHECKIP=${3}
DEVICE=${4}
WARN_EMAIL=${5}
REPLIED=${6}
WAITING=${7}
TIMEOUT=${8}
REPLY_LATE=${9}
CONS_RCVD=${10}
CONS_WAIT=${11}
CONS_MISS=${12}
AVG_RTT=${13}

if [ -f /usr/share/shorewall-lite/lib.base ]; then
    VARDIR=/var/lib/shorewall-lite
    STATEDIR=/etc/shorewall-lite
    TOOL=/sbin/shorewall-lite
else
    VARDIR=/var/lib/shorewall
    STATEDIR=/etc/shorewall
    TOOL=/usr/sbin/shorewall
fi

[ -f ${STATEDIR}/vardir ] && . ${STATEDIR}/vardir

cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}

Hi,
Connection ${NAME} is now ${STATE}.

Following parameters were passed:
newstate     = ${STATE}
name         = ${NAME}
checkip      = ${CHECKIP}
device       = ${DEVICE}
warn_email   = ${WARN_EMAIL}

Packet counters:
replied      = ${REPLIED} packets replied
waiting      = ${WAITING} packets waiting for reply
timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
reply_late   = ${REPLY_LATE} packets that received a reply after timeout
cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
cons_miss    = ${CONS_MISS} consecutive packets that have timed out
avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this

Your LSM Daemon

EOM

# Uncomment the next two lines if you are running Shorewall 4.4.x or earlier

# [ ${STATE} = up ] && state=0 || state=1
# echo $state > ${VARDIR}/${DEVICE}.status

$TOOL restart -f >> /var/log/lsm 2>&1

$TOOL show routing >> /var/log/lsm

exit 0

#EOF

/etc/shorewall/providers
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
ANTEL   1       1       -               eth1            201.217.149.169 track,loose,balance=100
ADSL    2       2       -               ppp0            detect          track,loose,balance=1


WHEN SHOREWAL STOPPED

ll /var/lib/shorewall/

total 120
-rw-------. 1 root root     4 Mar 26 13:55 eth1_weight
-rwx------. 1 root root 87764 Mar 26 13:55 firewall
-rw-r--r--. 1 root root    88 Mar 25 11:48 lsm.conf
-rw-------. 1 root root   162 Mar 26 13:55 marks
-rw-------. 1 root root   226 Mar 26 13:55 policies
-rw-------. 1 root root     2 Mar 26 13:55 ppp0_weight
-rw-------. 1 root root    29 Mar 26 13:55 restarted
-rw-------. 1 root root    39 Mar 26 14:27 state
-rw-------. 1 root root    75 Mar 26 13:55 zones

ps ax | grep lsm

5122 pts/0    S+     0:00 grep lsm


service shorewall start

 ps ax | grep lsm
 5499 ?        Rs     0:03 /usr/sbin/lsm -c /etc/lsm/lsm.conf
 5506 pts/0    S+     0:00 grep lsm


 ll /var/lib/shorewall/

-rw-------. 1 root root    38 Mar 26 14:31 default_route
-rw-------. 1 root root     2 Mar 26 14:31 eth1.status
-rw-------. 1 root root     4 Mar 26 14:31 eth1_weight
-rwx------. 1 root root 87764 Mar 26 14:31 firewall
-rw-r--r--. 1 root root    88 Mar 25 11:48 lsm.conf
-rw-------. 1 root root   162 Mar 26 14:31 marks
-rw-------. 1 root root     0 Mar 26 14:31 nat
-rw-------. 1 root root   226 Mar 26 14:31 policies
-rw-------. 1 root root     2 Mar 26 14:31 ppp0.status
-rw-------. 1 root root     2 Mar 26 14:31 ppp0_weight
-rw-------. 1 root root     0 Mar 26 14:31 proxyarp
-rw-------. 1 root root    29 Mar 26 14:31 restarted
-rw-------. 1 root root    60 Mar 26 14:31 state
-rw-------. 1 root root   271 Mar 26 14:31 undo_ADSL_routing
-rw-------. 1 root root   271 Mar 26 14:31 undo_ANTEL_routing
-rw-------. 1 root root    68 Mar 26 14:31 undo_balance_routing
-rw-------. 1 root root     0 Mar 26 14:31 undo_default_routing
-rw-------. 1 root root   134 Mar 26 14:31 undo_main_routing
-rw-------. 1 root root    75 Mar 26 14:31 zones



The ISP1 cable is disconnected but when I do 

cat /var/lib/shorewall/eth1.status
0

Is this correct?
Thomas can you give me a hand on this?

Thanks ;)






------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Hill, John | 26 Mar 17:54 2015

Help with Auto Blacklist event

I set up an SSH auto blacklist as the docs explained.

Using a miodified stock rule in the ?new section

AutoBL(SSH,-,-,-,REJECT,warn)    net            $FW       tcp        22,2222

 

Also in the ?new section

I have a dnat rule for port 2222 to a loc:xxx.xxx.xxx.xxx:22

 

In ?all section

I have SSH(ACCEPT)          all

 

If either rule is active the blacklist does not trigger on the active one.

Example I # the dnat rule reload test and show events will show hits.

Activate it and nothing?

 

I tried it unmodified with same results.

 

My goal is to monitor these 2 ports 2222 and 22 and blacklist repetitive attempts.

Any help would be appreciated.

 

Thanks

 

John Hill

 

 

 

 

 

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Damiano Verzulli | 26 Mar 01:23 2015
Picon

4.5.4 on CentOS 6: problem with DNAT over a two port ethernet bridge


Hi all!

	This morning we upgraded one of our firewalls, moving from an old
shorewall 4.0.6 to a more current 4.5.4 (CentOS 6.6 RPM -
shorewall-4.5.4-1.el6.noarch).

	Everything went OK, with the exception of some DNAT rules. In short:

we're running a three-interfaces firewall, with:
	- "em1" and "em3" bridged into "br0"
	- "em2" used as an 802.1q trunk with several VLANs associated to various
zones/interfaces:

[.......zones.........]
fw		firewall
brdg		ipv4
net:brdg	bport4
dmz:brdg	bport4
loc		ipv4
mngmt		ipv4
...
[^^^^^^^^^^^^^^^^^^^^^^]

[..... interfaces ......]
brdg		br0	detect	bridge,[...]
net		br0:em1
dmz		br0:em3
loc		em2.51
voser		em2.20		# voip server
ibver		em2.21		# ibrida verde
...
[^^^^^^^^^^^^^^^^^^^^^^^^]

among a quite long series of "rules", we have this one:

[...... rules ......]
DNAT brdg loc:172.18.10.10 tcp 22,25,110,143 - 129.176.15.10
[^^^^^^^^^^^^^^^^^^^]

that, unfortunatly, was not working properly.

After some investigation, we saw that even though shorewall properly
compiled the underlying iptables/netfilter DNAT rules, such rule *IS
NEVER REACHED*. In detail, we saw that:
in the PREROUTING chain there were  a single JUMP to the "dnat" chain;
our DNAT-rule were correctly placed in the "brdg_dnat" chain;
along the "dnat" chain, a jump to the "brdg_dnat" chain were *NOT*
reached, due to a couple of RETURN, handling 100% of the bridge-incoming
traffic.

In short:

[----- shorewall show -t nat -------]
Counters reset Thu Mar 26 01:06:22 CET 2015

Chain PREROUTING (policy ACCEPT 2729 packets, 212K bytes)
 pkts bytes target     prot opt in     out     source
destination
 2730  212K dnat       all  --  *      *       0.0.0.0/0
0.0.0.0/0
[...]
Chain dnat (1 references)
 pkts bytes target     prot opt in     out     source
destination
 1123 83892 RETURN     all  --  br0    *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in em1
  126 13770 RETURN     all  --  br0    *       0.0.0.0/0
0.0.0.0/0           PHYSDEV match --physdev-in em3
    0     0 brdg_dnat  all  --  br0    *       0.0.0.0/0
0.0.0.0/0
[....]
Chain brdg_dnat (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
129.176.15.10       multiport dports 22,25,110,143
to:172.18.10.10
[...]
[^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^]

As it can clearly be seen from the "iptables-save" fragments:
-------------------------------
-A dnat -i br0 -m physdev --physdev-in em1 -j RETURN
-A dnat -i br0 -m physdev --physdev-in em3 -j RETURN
-A dnat -i br0 -j brdg_dnat
[....]
-------------------------------

all the traffic coming to the bridge, via the "em1" interface or the
"em3" interface is simply matched by the first two rules and.... never
reach the third rule (...so to be properly managed by the real DNAT
chain/rules).

Is this a bug?

Or are we missing a major point in the 4.5.4 configuration?

Please note that, while searching for a definitive solution, we have
setup an "hack" by putting:

----------------
/sbin/iptables -t nat -D dnat -i br0 -m physdev --physdev-in em1 -j RETURN
/sbin/iptables -t nat -D dnat -i br0 -m physdev --physdev-in em3 -j RETURN
----------------

in /etc/shorewall/started and... now everything work correctly :-)

Should you need further information, don't hesitate to ask (I'm
deliberately avoinding to provide all the cfg files, as they are quite...
large and, in our opinion, not strictly related to the problem. But,
again, if you need info, please ask).

Cheers,
DV

--

-- 
Damiano Verzulli
e-mail: damiano <at> verzulli.it
---
possible?ok:while(!possible){open_mindedness++}
---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
  http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
Marco Giacomelli | 25 Mar 21:05 2015
Picon

ERROR gateway is not reachable provider cannot be started

Hi everyone, I've been having a big problem and this is my last resort
after googling for days.

I used to have a multi-ISP (both modems on a single interface, routing
to two different interfaces) setup running, after upgrading shorewall
to version 4.6.4.3, among the whole system (debian), the old
configuration hasn't been working anymore and I've only been getting
the following error:

ERROR: Gateway 10.0.0.1 is not reachable -- Provider NET1 (1) Cannot be Started

I reworked the configuration almost from scratch and switched the
modems to different interfaces (eth0 and eth1 instead of just eth0)
while consolidating the subnetworks to a single one (eth2) but I'm
still getting this problem that critically prevents the firewall from
working whenever a provider is specified.

If I disable every entry in the providers configuration then
everything works (with horrible performance) just on the first ISP.

I included the trace and the compiled program, I hope somebody can
finally figure out why that gateway refuses to work at all.
Attachment (.restart.gz): application/x-gzip, 25 KiB
Attachment (trace.gz): application/x-gzip, 7821 bytes
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Nico Pagliaro | 25 Mar 19:27 2015
Picon

FALLBACK - MultipleISP

Hi everybody, I am installing a new shorewall firewall  from version 4.5.0.2 to 4.6.7 in a Centos 6
I need to have a multiple ISP configuration, QoS and fallback or balance option.
Well, there is something that obviously I am doing wrong, because it is not working.
This is my config:

eth0 = 192.168.0.7 (LAN)
eth1 = external IP 1 (NET)
eth2 = ADSL connection, ppp0

I am using USE_DEFAULT_RT=Yes

FILES:
----------

zones
fw      firewall
net     ipv4
loc     ipv4


interfaces
loc             eth0
net             eth1                    optional
net             ppp+                   optional


masq
eth1                    192.168.0.0/24  201.217.10.1 (MY GW)

ppp+                    192.168.0.0/24

providers
ANTEL   1       1       -               eth1            201.217.10.1  track,loose,balance=10
ADSL     2       2       -               ppp0            -                   track,loose,balance=1


ANTEL is a 120/20 connection and ADSL is a 20/2


What I want in this step is, if ANTEL is down, users goes out to Internet with ADSL, so I disconnect from my ANTEL router the UTP cable.
The result is that the client navigate throught ADSL but when I reconnect the ANTEL link the client still navigate using ADSL.


Is this correct? How can I make that the primary connection is ANTEL

Thanks



I try in ANTEL provider options primary and fallback en ADSL and doesnt work,.




------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Thomas Winkler | 25 Mar 17:54 2015
Picon
Picon

OpenVPN server with Shorewall not working

Hello,
 
I really like Shorewall ! Thanks for this piece of software !
I am using Shorewall on an ARM single computer with two NICs running on Debian 7.8 which runs perfectly. 
 
 I installed the OpenVPN server on that single computer board and trying to get OpenVPN server running
together with Shorewall. 
Unfortunately, it doesn't work as expected.
 
Once Shorewall is disabled, I can connect an OpenVPN client to my OpenVPN server without any problems.
However, after turning Shorewall on, the openvpn client fails to connect or keeping its VPN connection
with the OpenVPN server.
 

I tested Shorewall and OpenVPN server on my local LAN.  

The ARM board has the IP address 192.168.70.19 and its Ethernet cable is plugged to eth0. Shorewall and
OpenVPN server running on that board with the following Shorewall configuration :

 
interfaces :
 
net     eth0         -   dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     eth1         -   tcpflags,nosmurfs,routefilter,logmartians
vpn     tun0

zones :

fw      firewall
net     ipv4
loc     ipv4
vpn	ipv4	

policy:

net	fw	REJECT	warning
fw	all	ACCEPT
vpn	all	ACCEPT
net	vpn	ACCEPT	info
net	loc	DROP	crit
loc	all	ACCEPT
      

tunnels:

#TYPE              ZONE          GATEWAY          GATEWAY ZONE
openvpnclient:1194  net         192.168.70.19

 
I hope anyone can help me out. Thanks in advance !

Regards,

Thomas Winkler

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Gmane