From: Tom E. <te...@sh...> - 2006-07-11 15:10:57
|
renyi zsolt wrote: > I already tried that and didn't work. I tried > inserting rules before shorewall's rules to ACCEPT > every connection from 80.96.3.4 to which I try to > connect and I also tried SNAT-ing all traffic from the > host I am connecting. I have an older firewall > (firehol, I decided to change it to shorewall) and on > that only udp dpt:2746 and udp:500 are nat-ed and it > works on that. With shorewall no matter what I try the > vpn gateway returns 2 fragmented udp packets which are > Dropped somewhere. >=20 > Here is a tcpdump output on my external interface: > 17:37:27.241183 IP (tos 0x20, ttl 58, id 28157, offset > 1480, flags [+, DF], proto: UDP (17), length: 1500) > yyy > xxx: udp > 17:37:27.241202 IP (tos 0x20, ttl 58, id 28157, offset > 2960, flags [DF], proto: UDP (17), length: 184) yyy > > xxx udp >=20 They are dropped because they are the 2nd and 3rd fragments of 3. The fir= st fragment (offset 0) is missing? -Tom --=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |