Re: [Shorewall-users] Re: Wireless - routing or bridging - Part Deux

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Tom Eastep wrote:

> 
>>The curious observation was a ping to suse.com from the laptop gave:
>>
>>Feb 23 08:23:39 machinename kernel: Shorewall:wlan2fw:ACCEPT:IN=eth3 
OUT= 
>>MAC=00:02:b3:1c:39:0d:00:02:2d:24:76:bc:08:00 SRC=xx.xx.18.68 
>>DST=xx.xx.18.50 LEN=112 TOS=0x00 PREC=0xC0 TTL=255 ID=19672 PROTO=ICMP 
>>TYPE=3 CODE=2 [SRC=xx.xx.18.50 DST=192.168.18.68 LEN=84 TOS=0x00 
PREC=0x00 
>>TTL=64 ID=5913 PROTO=ICMP TYPE=0 CODE=00 ID=43536 SEQ=18 ]
>>
>>.68 was the leased address given to the laptop
>>.50 is the static IP for eth3 of this box
>>fwiw .51 is the static IP of the cisco
> 
> 
> Bill -- Why are you trying to obfuscate things with the xx.xx
> nonsense??? I'm not going to help you further if I have to look at crap
> like that, especially since I suspect that these are all internal IP
> addresses.

My objection stems from the fact that some of the addresses have been
obfuscated but one hasn't!! So if xx.xx == 192.168 then there is one
explanation and if xx.xx != 192.168 then something else is going on.

You may be right that the AP is returning a "protocol not reachable"
ICMP to the ping reply -- running Ethereal on the Laptop while you are
trying to ping would solve the mystery though...

-Tom

=====================================

Tom -

Sorry - Yes the addresses are internal, wasn't trying to obfuscate,
I just didn't think they would matter, and I missed one.

I re-read and re-read the docs again, and gave up on what I was doing.
I was trying to set "wlan" as a separate zone, rather than combining
with "loc"   I stripped out all of that and went back to the "standard"
example you have at the end of a two-interface setup.

Ran tcpdump on the laptop and discovered my errors:
    Brain fart - had masq for eth3 backwards  (who knows why)
    routeback option is NOT what I wanted.

Now working...  I have the maclist option now on, tonight I will turn on 
WEP.

We were replacing some switches last night, so did not respond last night.

As usual, thanks for your effort.

The Sufficiently Talented Fool

- Bill