Re: [Shorewall-users] cannot ping through Shorewall 5.1.4.4 gateway

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

________________________________
From: Tom Eastep <te...@sh...>
>
> Doesn't look to me as though any of those rules would match the pings

> that don't work. And there are packets beging silently dropped because
> you have not specified any logging for your loc->net* policies.

I had these rules when I did that dump:

ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net1:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net2:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net3:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net4:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all

ACCEPT loc:172.16.0.1 $FW all
ACCEPT loc:172.16.0.1 net1 all
ACCEPT loc:172.16.0.1 net2 all
ACCEPT loc:172.16.0.1 net3 all

If I take into consideration just the first failing ping (from host with IP addr. 172.16.0.1), I was expecting it to work because of this in all loc-net* chains:

ACCEPT     all  --  *      *       172.16.0.1           0.0.0.0/0

In any case, in order to avoid confusion, and get more debugging information I followed your suggestion:

# grep ^loc /SAMBA/gateway_extra/policy.FHM
loc             net1            DROP            info
loc             net2            DROP            info
loc             net3            DROP            info
loc             net4            DROP            info
loc             dmz             DROP            info
loc             $FW             DROP            info
loc             all             DROP            info

I also added this rule at the very top of the rules file in order to make sure I get a theoretical match:

ACCEPT:info     loc:172.16.0.1,10.215.144.92,10.215.144.7       net1,net2,net3.net4     all

I restarted/reset shorewall, but the ping tests still fail. I'm unable to find anything useful in /var/log.

I can still confirm that a tcpdump on the "loc" interface shows ICMP requests coming in, but no replies.

I'm attaching another dump taken while performing a ping to 8.8.8.8 from two hosts in the "loc" zone with IP addresses 172.16.0.1 and 10.215.144.7.
Note that I'm posting 2 consecutive messages to this list so I can pass the message size limit. You just need to do this to get the full dump:
# cat xaa xab > swdump.gz

Finally, since I'm a bit desperate now... ;-) I'm also attaching a quick "diff" of most of the shorewall config files between shorewall host "a" that's "working OK" and shorewall host "b" that's failing.

Host a is running:
Linux 4.8.17-hardened-r2
shorewall version 5.0.15.6

Host b is running:
Linux 4.9.16-gentoo
shorewall version 5.1.4.4

shorewall.conf is mostly default, except for the LOG path and the dynamic blacklist.

Vieri