From: Vincent <to...@n7...> - 2006-03-06 14:26:32
|
Jon Bendtsen a =E9crit : > thats possible. Did you check using tcpdump or another sniffer if the > firewall sends back a reject message? Or does it simply just drop the > packets? One more precision, the vpn-gateways are not the default gateways in=20 each subnets. There are routes to redirect from default gateways to vpn-gateways. When I try to ssh from a computer on site A to site B on default gateway on site B I found that line in logs : kernel: NEW not SYN? IN=3Deth0 OUT=3Deth0 SRC=3D192.168.0.252 DST=3D192.1= 68.1.8=20 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D63 ID=3D0 DF PROTO=3DTCP SPT=3D22 D= PT=3D1733=20 WINDOW=3D5792 RES=3D0x00 ACK SYN URGP=3D0 that's all, and the packet doesn't reach computer B, so I assume the=20 firewall drop it on the default gateway on site B. On this computer runs IpCop, there is a chain NEWNOTSYN which role seems=20 to drop everything. LOG all -- anywhere anywhere limit: avg=20 10/min burst 5 LOG level warning prefix `NEW not SYN? ' DROP all -- anywhere anywhere I added this line to the chain but it had no effect ... ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 the packets are still being droped Any idea ? > Do you generally allow icmp, aka ping to go through? That cold explain > why ping works and ssh does not. It's the default configuration concerning the ping, I have tested and it=20 goes through Vincent --=20 Sokar -------------------------------- co-administrateur du r=E9seau n7mm.org mail : so...@n7... Retrouvez moi sur irc.n7mm.org : #n7mm |