Hi All, Ran across a weird one today that I can''t wrap my head around. This is a pretty standard two-NIC setup with eth0 being the WAN and eth1 being LAN-side. A workstation on the LAN side (10.0.50.144 assigned by DHCP) cannot go to a particular website at 161.184.172.35. This workstation can surf to any other website I can think of, and pings to the troublesome website return the proper IP address. Shorewall rejects requests to go to that website under the all2all policy: Jan 31 12:37:15 d205-206-104-186 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=10.0.50.144 DST=161.184.172.35 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57267 DF PROTO=TCP SPT=4067 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 I''ve attached my status file gzipped as indicated. I didn''t build this box so "totally out there" postulations are welcome and I will investigate them all. Thanks! Jon -- Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E http://www.jonwatson.ca +1.403.770.2837 "Trying to learn to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast" - ESR ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
jon wrote:> Hi All, > > Ran across a weird one today that I can''t wrap my head around. > > This is a pretty standard two-NIC setup with eth0 being the WAN and eth1 > being LAN-side. A workstation on the LAN side (10.0.50.144 assigned by > DHCP) cannot go to a particular website at 161.184.172.35. This > workstation can surf to any other website I can think of, and pings to > the troublesome website return the proper IP address. Shorewall rejects > requests to go to that website under the all2all policy: > > Jan 31 12:37:15 d205-206-104-186 kernel: > Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=10.0.50.144 > DST=161.184.172.35 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57267 DF > PROTO=TCP SPT=4067 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 > > I''ve attached my status file gzipped as indicated. > > I didn''t build this box so "totally out there" postulations are welcome > and I will investigate them all. >The destination host (161.184.172.35) is defined to be in the ''admin'' zone and loc->admin connections are disallowed by your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> ... >> Jan 31 12:37:15 d205-206-104-186 kernel: >> Shorewall:all2all:REJECT:IN=eth1 OUT=eth0 SRC=10.0.50.144 >> DST=161.184.172.35 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57267 DF >> PROTO=TCP SPT=4067 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 >> ... > The destination host (161.184.172.35) is defined to be in the ''admin'' > zone and loc->admin connections are disallowed by your configuration.That''s my cue to pop up and recommend that people explicitly define every zone combination in their policy file so that sensible log messages result: http://linuxman.wikispaces.com/PPPPPPS#tocPPPPPPS3 -- Paul <http://paulgear.webhop.net> -- Did you know? Some on-line music services encourage you to share your music with your friends legally. Find out more about ethical digital music distribution: http://magnatune.com/info/whynotevil ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642