Shorewall users - Aug 2006 - Cannot get SNMP to respond

Hello,

I''m currently running shorewall in a bridged/routed setup. I have 4
NICS,
two are bridged (my DMZ) and grab public IPs from my ISP, and the other two
are NAT''d. Their is an IP address on top of the bridge group that
allows the
other two NICs to NAT.

I''m having issues with SNMP on the bridge group... I can walk my MIB
tree
from my lan on the internal interface, but when I try to do so from my DMZ,
the shorewall doesn''t respond.

I ran tcpdump and I can see the packets, but my Shorewall Log file
doesn''t
show any activity.

Here''s my current configs:

# uname -a
homerouter ~ # uname -a
Linux homerouter 2.6.17-gentoo-r4 #10 Fri Aug 25 20:29:48 EDT 2006 i686
Pentium III (Katmai) GNU/Linux

# cat /etc/shorewall/zones
###############################################################################
#ZONE           TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw              firewall
dmz             ipv4
net             ipv4
wired           ipv4
wirel           ipv4
vpn             ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


# cat /etc/shorewall/policy
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
wired           all             ACCEPT
dmz             net             ACCEPT
wirel           net             ACCEPT
vpn             all             ACCEPT
net             all             DROP            ULOG
all             all             REJECT          ULOG

#LAST LINE -- DO NOT REMOVE


# cat /etc/shorewall/rules
#############################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST
SOURCE          ORIGINAL        RATE            USER/
#                                               PORT    PORT(S)
DEST            LIMIT           GROUP
ACCEPT          net             fw              tcp     222
SSH/ACCEPT      net             dmz
ACCEPT          net             fw              tcp     1723
ACCEPT          net             dmz tcp     443
#ACCEPT         net             dmz             icmp
ACCEPT          fw              dmz             icmp
ACCEPT          dmz             fw              udp     161
ACCEPT          net             fw              icmp
### Ryan''s Bit Torrent ###
DNAT            net             wired:192.168.250.11    tcp     55999
DNAT            net             wired:192.168.250.11    udp     55999

# cat /etc/snmp/snmpd.conf
homerouter ~ # cat /etc/snmp/snmpd.conf
com2sec local     127.0.0.1/32    public
com2sec local     <IP OF CACTI BOX>/32   public

group MyROGroup v1         local
group MyROGroup v2c        local
group MyROGroup usm        local

view all    included  .1                               80

access MyROGroup ""      any       noauth    exact  all    none   none

syslocation MyLocation
syscontact Me <me@somewhere.org>

agentaddress


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Ryan Holt wrote:
> Hello,
> 
> I''m currently running shorewall in a bridged/routed setup. I have
4 NICS,
> two are bridged (my DMZ) and grab public IPs from my ISP, and the other two
> are NAT''d. Their is an IP address on top of the bridge group that
allows
> the
> other two NICs to NAT.
> 
> I''m having issues with SNMP on the bridge group... I can walk my
MIB tree
> from my lan on the internal interface, but when I try to do so from my DMZ,
> the shorewall doesn''t respond.
> 
> I ran tcpdump and I can see the packets, but my Shorewall Log file
doesn''t
> show any activity.
> 
> Here''s my current configs:
>
Ryan,

We much prefer the output of "shorewall dump" rather than your
configuration
files. Please see http://www.shorewall.net/support.htm.

With tcpdump, use the -e option -- what is the destination MAC address? Is it
the MAC address of your Shorewall box''s bridge or some other address?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom,

I''ve uploaded my shorewall dump here:
http://www.vshack.net/dump.shorewall

I got this error in my console after I ran shorewall dump...

RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated
RTNETLINK answers: Invalid argument
Dump terminated

Here''s the results of my tcpdump:

homerouter ~ # tcpdump -evi br0 dst port 161
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 68
bytes
11:15:17.901110 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: UDP (17), length: 68)
mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
GetNextRequest(25) R=317285432 [|snmp] } }
11:15:18.909178 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: UDP (17), length: 68)
mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
GetNextRequest(25) R=317285432 [|snmp] } }
11:15:19.919041 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: UDP (17), length: 68)
mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
GetNextRequest(25) R=317285432 [|snmp] } }
11:15:20.928902 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: UDP (17), length: 68)
mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
GetNextRequest(25) R=317285432 [|snmp] } }
11:15:21.938772 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: UDP (17), length: 68)
mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
GetNextRequest(25) R=317285432 [|snmp] } }
11:15:22.948642 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
offset 0, flags [DF], proto: UDP (17), length: 68)
mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
GetNextRequest(25) R=317285432 [|snmp] } }

The destination MAC address is that of my bridge group, br0:

homerouter ~ # ifconfig br0
br0       Link encap:Ethernet  HWaddr 00:10:4B:2B:72:D4
          inet addr:68.71.244.122  Bcast:68.71.245.255   Mask:255.255.254.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9628111 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8519424 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3330822080 (3176.5 Mb)  TX bytes:3926961270 (3745.0 Mb)


On 8/27/06, Ryan Holt <carpenike@gmail.com> wrote:
>
> Tom,
>
> Attached is my shorewall dump. At the end of runnig shorewall dump I get
> the following errors on my console:
>
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
>
> Here''s the results of my tcpdump:
>
> homerouter ~ # tcpdump -evi br0 dst port 161
> tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 68
> bytes
> 11:15:17.901110 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:18.909178 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:19.919041 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:20.928902 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:21.938772 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:22.948642 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
>
> The destination MAC address is that of my bridge group, br0:
>
> homerouter ~ # ifconfig br0
> br0       Link encap:Ethernet  HWaddr 00:10:4B:2B:72:D4
>           inet addr:68.71.244.122  Bcast:68.71.245.255   Mask:
> 255.255.254.0
>           UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:9628111 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:8519424 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:3330822080 (3176.5 Mb)  TX bytes:3926961270 (3745.0 Mb)
>
>
> Thanks very much for your help.
>
> On 8/27/06, Tom Eastep <teastep@shorewall.net> wrote:
>
> > Ryan Holt wrote:
> > Hello,
> >
> > I''m currently running shorewall in a bridged/routed setup. I
have 4
> NICS,
> > two are bridged (my DMZ) and grab public IPs from my ISP, and the
other
> two
> > are NAT''d. Their is an IP address on top of the bridge group
that allows
>
> > the
> > other two NICs to NAT.
> >
> > I''m having issues with SNMP on the bridge group... I can walk
my MIB
> tree
> > from my lan on the internal interface, but when I try to do so from my
> DMZ,
> > the shorewall doesn''t respond.
> >
> > I ran tcpdump and I can see the packets, but my Shorewall Log file
> doesn''t
> > show any activity.
> >
> > Here''s my current configs:
> >
>
> Ryan,
>
> We much prefer the output of "shorewall dump" rather than your
> configuration
> files. Please see http://www.shorewall.net/support.htm.
>
> With tcpdump, use the -e option -- what is the destination MAC address? Is
> it
> the MAC address of your Shorewall box''s bridge or some other
address?
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
>
>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Ryan Holt wrote:
> Tom,
> 
> I''ve uploaded my shorewall dump here:
http://www.vshack.net/dump.shorewall
> 
> I got this error in my console after I ran shorewall dump...
> 
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> RTNETLINK answers: Invalid argument
> Dump terminated
> 
> Here''s the results of my tcpdump:
> 
> homerouter ~ # tcpdump -evi br0 dst port 161
> tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 68
> bytes
> 11:15:17.901110 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:18.909178 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:19.919041 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:20.928902 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:21.938772 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 11:15:22.948642 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01 (oui
> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> offset 0, flags [DF], proto: UDP (17), length: 68)
> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> GetNextRequest(25) R=317285432 [|snmp] } }
> 
> The destination MAC address is that of my bridge group, br0:
> 
> homerouter ~ # ifconfig br0
> br0       Link encap:Ethernet  HWaddr 00:10:4B:2B:72:D4
>          inet addr:68.71.244.122  Bcast:68.71.245.255   Mask:255.255.254.0
>          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:9628111 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:8519424 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:3330822080 (3176.5 Mb)  TX bytes:3926961270 (3745.0 Mb)
> 
> 
> On 8/27/06, Ryan Holt <carpenike@gmail.com> wrote:
>>
>> Tom,
>>
>> Attached is my shorewall dump. At the end of runnig shorewall dump I
get
>> the following errors on my console:
>>
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>>
>> Here''s the results of my tcpdump:
>>
>> homerouter ~ # tcpdump -evi br0 dst port 161
>> tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 68
>> bytes
>> 11:15:17.901110 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
>> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
>> offset 0, flags [DF], proto: UDP (17), length: 68)
>> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
>> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
>> GetNextRequest(25) R=317285432 [|snmp] } }
>> 11:15:18.909178 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
>> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
>> offset 0, flags [DF], proto: UDP (17), length: 68)
>> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
>> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
>> GetNextRequest(25) R=317285432 [|snmp] } }
>> 11:15:19.919041 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
>> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
>> offset 0, flags [DF], proto: UDP (17), length: 68)
>> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
>> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
>> GetNextRequest(25) R=317285432 [|snmp] } }
>> 11:15:20.928902 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
>> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
>> offset 0, flags [DF], proto: UDP (17), length: 68)
>> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
>> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
>> GetNextRequest(25) R=317285432 [|snmp] } }
>> 11:15:21.938772 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
>> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
>> offset 0, flags [DF], proto: UDP (17), length: 68)
>> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
>> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
>> GetNextRequest(25) R=317285432 [|snmp] } }
>> 11:15:22.948642 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
>> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
>> offset 0, flags [DF], proto: UDP (17), length: 68)
>> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
>> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
>> GetNextRequest(25) R=317285432 [|snmp] } }
>>
>> The destination MAC address is that of my bridge group, br0:
I don''t see 00:10:4B:2B:72:D4 (the MAC of your br0) anywhere in that
tcpdump
output! I suspect that 00:30:b8:c8:56:01 is actually the MAC address of your
upstream router (the mac address indicates that it is made by RiverDelta
Networks) and that your DMZ system (68.71.249.2) is trying to forward the
traffic through that router.
>>
>> homerouter ~ # ifconfig br0
>> br0       Link encap:Ethernet  HWaddr 00:10:4B:2B:72:D4
>>           inet addr:68.71.244.122  Bcast:68.71.245.255   Mask:
>> 255.255.254.0
>>           UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:9628111 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:8519424 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:0
>>           RX bytes:3330822080 (3176.5 Mb)  TX bytes:3926961270 (3745.0
>> Mb)
>>
So I suspect that the systems in your DMZ need a route added to 68.71.244.122.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Thank you so much!

That fixed the problem!

I just added routes for:

-net 68.71.0.0 netmask 255.255.0.0 dev eth0

To the machine and it''ll route out the interface.

On 8/27/06, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Ryan Holt wrote:
> > Tom,
> >
> > I''ve uploaded my shorewall dump here:
> http://www.vshack.net/dump.shorewall
> >
> > I got this error in my console after I ran shorewall dump...
> >
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> > RTNETLINK answers: Invalid argument
> > Dump terminated
> >
> > Here''s the results of my tcpdump:
> >
> > homerouter ~ # tcpdump -evi br0 dst port 161
> > tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size
68
> > bytes
> > 11:15:17.901110 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
> > Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> > offset 0, flags [DF], proto: UDP (17), length: 68)
> > mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> > mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> > GetNextRequest(25) R=317285432 [|snmp] } }
> > 11:15:18.909178 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
> > Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> > offset 0, flags [DF], proto: UDP (17), length: 68)
> > mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> > mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> > GetNextRequest(25) R=317285432 [|snmp] } }
> > 11:15:19.919041 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
> > Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> > offset 0, flags [DF], proto: UDP (17), length: 68)
> > mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> > mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> > GetNextRequest(25) R=317285432 [|snmp] } }
> > 11:15:20.928902 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
> > Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> > offset 0, flags [DF], proto: UDP (17), length: 68)
> > mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> > mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> > GetNextRequest(25) R=317285432 [|snmp] } }
> > 11:15:21.938772 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
> > Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> > offset 0, flags [DF], proto: UDP (17), length: 68)
> > mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> > mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> > GetNextRequest(25) R=317285432 [|snmp] } }
> > 11:15:22.948642 00:14:85:0a:2b:a1 (oui Unknown) > 00:30:b8:c8:56:01
(oui
> > Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64, id 0,
> > offset 0, flags [DF], proto: UDP (17), length: 68)
> > mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> > mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1 {
> > GetNextRequest(25) R=317285432 [|snmp] } }
> >
> > The destination MAC address is that of my bridge group, br0:
> >
> > homerouter ~ # ifconfig br0
> > br0       Link encap:Ethernet  HWaddr 00:10:4B:2B:72:D4
> >          inet addr:68.71.244.122  Bcast:68.71.245.255   Mask:
> 255.255.254.0
> >          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
> >          RX packets:9628111 errors:0 dropped:0 overruns:0 frame:0
> >          TX packets:8519424 errors:0 dropped:0 overruns:0 carrier:0
> >          collisions:0 txqueuelen:0
> >          RX bytes:3330822080 (3176.5 Mb)  TX bytes:3926961270
(3745.0Mb)
> >
> >
> > On 8/27/06, Ryan Holt <carpenike@gmail.com> wrote:
> >>
> >> Tom,
> >>
> >> Attached is my shorewall dump. At the end of runnig shorewall dump
I
> get
> >> the following errors on my console:
> >>
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >> RTNETLINK answers: Invalid argument
> >> Dump terminated
> >>
> >> Here''s the results of my tcpdump:
> >>
> >> homerouter ~ # tcpdump -evi br0 dst port 161
> >> tcpdump: listening on br0, link-type EN10MB (Ethernet), capture
size 68
> >> bytes
> >> 11:15:17.901110 00:14:85:0a:2b:a1 (oui Unknown) >
00:30:b8:c8:56:01
> (oui
> >> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64,
id 0,
> >> offset 0, flags [DF], proto: UDP (17), length: 68)
> >> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> >> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1
{
> >> GetNextRequest(25) R=317285432 [|snmp] } }
> >> 11:15:18.909178 00:14:85:0a:2b:a1 (oui Unknown) >
00:30:b8:c8:56:01
> (oui
> >> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64,
id 0,
> >> offset 0, flags [DF], proto: UDP (17), length: 68)
> >> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> >> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1
{
> >> GetNextRequest(25) R=317285432 [|snmp] } }
> >> 11:15:19.919041 00:14:85:0a:2b:a1 (oui Unknown) >
00:30:b8:c8:56:01
> (oui
> >> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64,
id 0,
> >> offset 0, flags [DF], proto: UDP (17), length: 68)
> >> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> >> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1
{
> >> GetNextRequest(25) R=317285432 [|snmp] } }
> >> 11:15:20.928902 00:14:85:0a:2b:a1 (oui Unknown) >
00:30:b8:c8:56:01
> (oui
> >> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64,
id 0,
> >> offset 0, flags [DF], proto: UDP (17), length: 68)
> >> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> >> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1
{
> >> GetNextRequest(25) R=317285432 [|snmp] } }
> >> 11:15:21.938772 00:14:85:0a:2b:a1 (oui Unknown) >
00:30:b8:c8:56:01
> (oui
> >> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64,
id 0,
> >> offset 0, flags [DF], proto: UDP (17), length: 68)
> >> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> >> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1
{
> >> GetNextRequest(25) R=317285432 [|snmp] } }
> >> 11:15:22.948642 00:14:85:0a:2b:a1 (oui Unknown) >
00:30:b8:c8:56:01
> (oui
> >> Unknown), ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl  64,
id 0,
> >> offset 0, flags [DF], proto: UDP (17), length: 68)
> >> mtairy-motorola1-68-71-249-2.chvlva.adelphia.net.32769 >
> >> mtairy-motorola1-68-71-244-122.chvlva.adelphia.net.snmp:  { SNMPv1
{
> >> GetNextRequest(25) R=317285432 [|snmp] } }
> >>
> >> The destination MAC address is that of my bridge group, br0:
>
> I don''t see 00:10:4B:2B:72:D4 (the MAC of your br0) anywhere in
that
> tcpdump
> output! I suspect that 00:30:b8:c8:56:01 is actually the MAC address of
> your
> upstream router (the mac address indicates that it is made by RiverDelta
> Networks) and that your DMZ system (68.71.249.2) is trying to forward the
> traffic through that router.
>
> >>
> >> homerouter ~ # ifconfig br0
> >> br0       Link encap:Ethernet  HWaddr 00:10:4B:2B:72:D4
> >>           inet addr:68.71.244.122  Bcast:68.71.245.255   Mask:
> >> 255.255.254.0
> >>           UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500 
Metric:1
> >>           RX packets:9628111 errors:0 dropped:0 overruns:0 frame:0
> >>           TX packets:8519424 errors:0 dropped:0 overruns:0
carrier:0
> >>           collisions:0 txqueuelen:0
> >>           RX bytes:3330822080 (3176.5 Mb)  TX bytes:3926961270
(3745.0
> >> Mb)
> >>
>
> So I suspect that the systems in your DMZ need a route added to
> 68.71.244.122.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642