Hi,
I have an edge box with latest edge snapshot with shorewall installed.
Once logged remotely via ssh I've setup and started Shorewall with the
following rule:
ACCEPT all fw tcp 22
After that, I'm no longer able to establish new ssh connections from any
IP address.
Thinking of a Shorewall issue (hoping to see AWall soon! Thanks kunkku!)
I did "shorewall clear", and I was able to login via ssh again.
So, instead of Shorewall, I've setup plain iptables rules:
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -d $MYIP -p tcp --dport 22 -j ACCEPT
I didn't change the default INPUT policy (ACCEPT). After that, again, I
wasn't able to login via ssh anymore.
Anybody noticed the same issue, or am I missing something obvious?
Thanks
- leonardo
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Fri, 13 Apr 2012 08:53:36 +0200
Leonardo <rnalrd@gmail.com> wrote:
> Hi,> > I have an edge box with latest edge snapshot with shorewall installed.> Once logged remotely via ssh I've setup and started Shorewall with the> following rule:> > ACCEPT all fw tcp> 22> > After that, I'm no longer able to establish new ssh connections from> any IP address.> > Thinking of a Shorewall issue (hoping to see AWall soon! Thanks> kunkku!) I did "shorewall clear", and I was able to login via ssh> again. > > So, instead of Shorewall, I've setup plain iptables rules:> > iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT> iptables -I INPUT -d $MYIP -p tcp --dport 22 -j ACCEPT> > I didn't change the default INPUT policy (ACCEPT). After that, again,> I wasn't able to login via ssh anymore.> > Anybody noticed the same issue, or am I missing something obvious?
Did you add the interface to any zone?
-nc
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Fri, Apr 13, 2012 at 10:15 PM, Natanael Copa <ncopa@alpinelinux.org> wrote:
> On Fri, 13 Apr 2012 08:53:36 +0200>> Anybody noticed the same issue, or am I missing something obvious?>> Did you add the interface to any zone?
Yes, of course. Zones, Interfaces and Policy are fully configured.
Doesn't look like it's a Shorewall issue, as I was able to reproduce
it with iptables only.
- leonardo
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Sat, Apr 14, 2012 at 8:22 AM, Leonardo Arena <rnalrd@gmail.com> wrote:
> On Fri, Apr 13, 2012 at 10:15 PM, Natanael Copa <ncopa@alpinelinux.org> wrote:>> On Fri, 13 Apr 2012 08:53:36 +0200>>> Anybody noticed the same issue, or am I missing something obvious?>>>> Did you add the interface to any zone?>> Yes, of course. Zones, Interfaces and Policy are fully configured.> Doesn't look like it's a Shorewall issue, as I was able to reproduce> it with iptables only.
"iptables -L E2fw -vn shows that the ACCEPT rule isn't matched (0 pkts).
I can observe the same behaviour with the following rule too:
ACCEPT inet:$MYIP fw udp 514
Incoming syslog packets aren't matched by the rule. It seems that they
are dropped early.
All dropped packets are logged via "info" but I don't see any dropped
packet in busybox syslog.
- leonardo
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---