-
Hi Victor, thanks for the feedback. I've opened a ticket to ask for an option to disable/enable dropping of invalid packets. We've moved back to MonMotha's script for the moment as we need these non-directly connected subnets to be able to access internet which they can't currently with Vuurmuur. Appreciate your assistance.
Regards, Robby.
2009-07-03 07:44:20 UTC in Vuurmuur
-
Hi Victor,
I understand your hesitance in disabling this but I don't see this traffic as being invalid. I'm not sure why vuurmuur/conntrack determines this to be invalid traffic - is there anything I can do on my side to try and find out why? I'll open a ticket in the meantime,
Regards, Robby.
2009-05-29 09:11:18 UTC in Vuurmuur
-
Hi Victor,
Any chance I disable Vuurmuur's blocking of invalid connection states?
Regards, Robby.
2009-05-26 08:40:14 UTC in Vuurmuur
-
Hi Victor,
Yes routing is symmetrical and vuurmuur can reach localnet2. The router section is actually a bunch of hops as part of a wireless network ( reason why we can't just pop a nic in vuurmuur box ).
The thing with invalid connection states is confusing - why can I use a different firewall wrapper for iptables ( Monmotha ) and this works fine? So I think either there is a rule...
2009-05-14 15:08:18 UTC in Vuurmuur
-
Another piece of info is that the router's gateway is the vuurmuur box so traffic runs from a 10.1.1 device to vuurmuur and then to the router and across to the 10.3.3 network, the opposite way for the return path ( symmetric route ); device on 10.3.3 net to vuurmuur and then to 10.1.1 device ...
I've popped in my old firewall script for the moment ( Monmotha's script ) just to get things...
2009-05-12 14:02:19 UTC in Vuurmuur
-
Here is an example of and ACCEPT and a DROP between the same 2 machines:
May 12 14:25:01: ACCEPT 2598tcp 10.3.3.118 -> 10-1-1-27.local_net1.lan (in: eth0 out: eth0 10.3.3.118:3612 -> 10.1.1.27:2598 TCP flags: ****S* len:48 ttl:124) │
│May 12 14:25:01: DROP 2598tcp 10.3.3.118 ->...
2009-05-12 12:36:42 UTC in Vuurmuur
-
Hi Victor,
I have the following setup for a vuurmuur install:
internet <---> vuurmuur <---> localnet1 <router > localnet2
I've added localnet1 and 2 to the zones on lan interface. I've got the following rules as well:
any service | firewall ( any ) -> localnet1 and 2
any | localnet1 and 2 -> firewall ( any )
any | localnet1 -> localnet2
any | localnet2...
2009-05-12 12:32:52 UTC in Vuurmuur
-
Hi Victor,
The problem ended up being a networking problem somewhere along the route. It's working fine today!
Thanks for your help
Robby.
2009-05-12 12:20:08 UTC in Vuurmuur
-
Ok I redid the rules/services for 'ipsec' and the traffic appears to be going out now for option no.2. I was also surprised there was no return traffic, so did some checks with traceroute and it appears there is a problem in transit ( the traceroute stops some hops before the target ). I may have been chasing my tail but will check on the link a little later on.
Regards and thanks for your...
2009-05-11 13:17:12 UTC in Vuurmuur
-
This is vpn pass-through in other words ...
Regards, Robby.
2009-05-11 13:14:48 UTC in Vuurmuur
