<div dir="ltr">Hi Noel,<div><br></div><div>Thank you for the quick response.</div><div><br></div><div>There are two hosts namely 192.168.1.6 and 192.168.1.8.<br></div><div><br></div><div>Here is what I want to do:<br></div><div>1. Block all traffic over TCP from 192.168.1.6 to TCP port 9100 on 192.168.1.8</div><div>2. Drop the rest of the traffic between these two systems.</div><div><br></div><div>Sorry for not having correct parameters. Please find below the correct one.</div><div><br></div><div><div>conn allow-9100<br></div></div><div><div><span class="" style="white-space:pre"> </span>leftsubnet=192.168.1.6[6/%any]</div><div><span class="" style="white-space:pre"> </span>rightsubnet=192.168.1.8[6/9100]</div><div><span class="" style="white-space:pre"> </span>leftfirewall=yes</div><div><span class="" style="white-space:pre"> </span>type=passthrough</div><div> auto=route</div></div><div><div><div><br></div><div>conn drop-rest</div><div><span class="" style="white-space:pre"> </span>leftsubnet=192.168.1.6</div><div><span class="" style="white-space:pre"> </span>rightsubnet=192.168.1.8</div><div><span class="" style="white-space:pre"> </span>leftfirewall=yes</div><div><span class="" style="white-space:pre"> </span>type=drop</div><div> auto=route</div></div></div><div><br></div><div>Is it possible to achieve the above mentioned items 1 and 2 ? With the above settings, I was expecting connections to port 9100 would be allowed and rest is dropped. What I observe is, all traffic including 9100 is dropped. Is there some priority that we can set ?<br></div><div><br></div><div>Thanks</div><div>Mahendra</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 16, 2016 at 11:23 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 16.02.2016 13:43, Mahendra SP wrote:<br>
> conn allow-9100<br>
> leftsubnet=192.168.1.6[6/%any]<br>
> rightsubnet=192.168.1.8[6/9100]<br>
> leftfirewall=yes<br>
> type=allow<br>
> auto=route<br>
"allow" is not a valid setting for "type".<br>
<br>
<br>
> conn drop-rest<br>
> leftsubnet=192.168.1.6<br>
> rightsubnet=192.168.1.8<br>
> leftfirewall=yes<br>
> type=passthrough<br>
> auto=route<br>
What's the purpose of that? It just tells XFRM to not do any processing on<br>
packets that match those left- and rightsubnet settings.<br>
<br>
When I look at all your settings, they seem to contradict each other.<br>
Please do a minimal setup. I think the error is in your overlaping subnets<br>
with all those different types.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
<br>
</font></span></blockquote></div><br></div>