Re: [Shorewall-users] shorewall + ipsec openswan

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

lpa du morvan wrote:
> Hi
> 
> I tested throught the ipsec tunnel a http connection and always the same
> error:
> 
> wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 with always
> PROTO=4 !!!!!! it's in this case a http connection and thus PROTO=6 but
> nothing with PROTO=6 in the error message.

If you are still getting these messages then you haven't added the ipip tunnel
entry that I recommended.

> 
> icmp is thus necessary to establish a flow througt a ipsec tunnel !?
> 
> I want add
> 
> iptables -A INPUT -p ! icmp -m state --state INVALID -j DROP
> also for OUTPUT and FORWARD chain,
> 
> but shorewall does not take into account the manual changes with iptables
> command.
> 

I have no idea what problem you are reporting now. If you want my help, then
please submit complete problem reports as described at
http://www.shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key