thr3ads.net - Shorewall users - Logfile entry query [Nov 2004]

If this information is useful, please help other people find it:
Share via:

Dave Green

2004-Nov-25 01:59 UTC

Logfile entry query

Hi,

I get frequent logfile entries from Shorewall similar to the following:

Nov 25 11:22:51 10.0.0.248 kernel: Shorewall:net2mill:DROP:IN=eth2 
OUT=eth0 SRC=202.96.117.50 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 
TTL=241 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 
DST=202.101.167.133 LEN=48 TOS=0x00 PREC=0x00 TTL=1
ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]

Could someone explain what the part in square brackets is referring to ?

Thanks,

Dave

--------
CAUTION:
This message and any attachments contain privileged and confidential
information.  If you are not the intended recipient of this message, you
are hereby notified that any use, dissemination, distribution or
reproduction of this message is prohibited. If you have received this
message in error please notify the sender immediately via email and then
destroy this message and any attachments.

Any views expressed in this message are those of the individual sender
and may not necessarily reflect the views of Winstone Pulp International
Ltd.

Tom Eastep

2004-Nov-25 02:01 UTC

head link

Re: Logfile entry query

On Thu, 2004-11-25 at 14:59 +1300, Dave Green wrote:> Hi,
> 
> I get frequent logfile entries from Shorewall similar to the following:
> 
> Nov 25 11:22:51 10.0.0.248 kernel: Shorewall:net2mill:DROP:IN=eth2 
> OUT=eth0 SRC=202.96.117.50 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 
> TTL=241 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 
> DST=202.101.167.133 LEN=48 TOS=0x00 PREC=0x00 TTL=1
> ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]
> 
> Could someone explain what the part in square brackets is referring to ?
Yes, I can.

But before I do, I would like you to first look at Shorewall FAQ 21.

-Tom 
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Dave Green

2004-Nov-25 03:20 UTC

head link

Re: Logfile entry query

Tom Eastep wrote:
>On Thu, 2004-11-25 at 14:59 +1300, Dave Green wrote:
>  
>
>>Hi,
>>
>>I get frequent logfile entries from Shorewall similar to the following:
>>
>>Nov 25 11:22:51 10.0.0.248 kernel: Shorewall:net2mill:DROP:IN=eth2 
>>OUT=eth0 SRC=202.96.117.50 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 
>>TTL=241 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 
>>DST=202.101.167.133 LEN=48 TOS=0x00 PREC=0x00 TTL=1
>>ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]
>>
>>Could someone explain what the part in square brackets is referring to ?
>>    
>>
>
>Yes, I can.
>
>But before I do, I would like you to first look at Shorewall FAQ 21.
>
>-Tom 
>  
>Ok, thanks for the pointer, apologies for not scanning through there to 
begin with. After reading the faq I checked icmp type=11 and now 
understand what the bracketed fragment is referring to. I don''t 
understand why the packet is being dropped though as I have an accept 
line for incoming traffic to host 10.0.0.10 for all protocols as my 
first rule. My configs are listed below.

Thanks,

Dave

zones:
#
# Shorewall 1.4 /etc/shorewall/zones
#
#ZONE   DISPLAY         COMMENTS
mill    Mill    Mill Lan
ctrl    Ctrl    Mill Controls Lan
net     Net             Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

interfaces:
#
# Shorewall 1.4 -- Interfaces File
#
##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS
mill    eth0    detect
ctrl    eth1    detect
net     eth2    detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


policy:
#
# Shorewall 1.4 -- Policy File
#
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
#
#
net     mill    DROP    info
mill    net     ACCEPT  -
ctrl    mill    ACCEPT  -
mill    $FW     ACCEPT  -
mill    ctrl    DROP    info
$FW     mill    ACCEPT  -
ctrl    $FW     ACCEPT  -
$FW     ctrl    ACCEPT  -
$FW     net     ACCEPT  -
net     $FW     DROP    info
net     ctrl    DROP    info
all     all     DROP    -
#LAST LINE -- DO NOT REMOVE

rules:
#
# Shorewall version 1.4 - Rules File
#
####################################################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
RATE            USER
#                                               PORT    PORT(S)    DEST
LIMIT
ACCEPT  net     mill:10.0.0.10,10.0.0.1 all     -       -
ACCEPT  mill    ctrl:10.1.0.202,10.1.0.208      tcp     139,1000:5000   -
ACCEPT  mill    ctrl:10.1.0.203 tcp     135,1028:1200   -
ACCEPT  mill    ctrl:10.1.0.204 tcp     135,1028        -
ACCEPT  mill:10.0.0.10,10.0.1.30,10.0.0.99      net     tcp     25      -
DROP:info       mill    net     tcp     25      -
ACCEPT  mill    ctrl:10.1.0.205 all     -       -
ACCEPT  mill:10.0.0.253,10.0.0.99,10.0.1.33,10.0.0.63   ctrl:10.1.0.216 tcp
80      -
DROP    ctrl    all     tcp     67      -
DROP    ctrl    all     tcp     68      -
DROP    ctrl    all     udp     67      -
DROP    ctrl    all     udp     68      -
ACCEPT  net     ctrl:10.1.1.193 tcp     xx    -
ACCEPT  net     ctrl:10.1.1.193 udp     xxx    -
ACCEPT  net     ctrl:10.1.1.71  tcp     xxx    -
ACCEPT  net     ctrl:10.1.1.71  udp     xxx    -
ACCEPT  net     mill:10.0.0.99  tcp     xxx   -
ACCEPT  net     mill:10.0.0.99  udp     xx     -
ACCEPT  net:10.200.0.5,10.200.0.2       mill    all     -       -
DROP    net     mill:10.0.0.99  all     -       -
ACCEPT  ctrl    
net:132.163.4.101,132.163.135.130,132.163.4.103,132.163.4.102
all     -       -
ACCEPT  ctrl:10.1.0.219 net:202.135.231.23      all     -       -
ACCEPT  mill:10.0.1.25  ctrl:10.1.0.215 all     -       -
ACCEPT  mill:10.0.0.253 ctrl    tcp     23,80   -
ACCEPT  mill:10.0.0.99  ctrl    udp     123     -
ACCEPT  mill:10.0.0.253,10.0.0.10       ctrl:10.1.0.203 tcp     -       -
ACCEPT  mill    ctrl    icmp    -       -
ACCEPT  ctrl    mill    icmp    -       -
ACCEPT  mill:10.0.0.99  net     all     -       -
REJECT  mill    net:219.88.108.94       all     -       -
DROP:info       all     net     tcp     4661:4665       -
DROP:info       all     net     udp     4661:4665       -
DROP:info       all     net     tcp     1214    -
DROP:info       all     net     udp     1214    -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE



--------
CAUTION:
This message and any attachments contain privileged and confidential
information.  If you are not the intended recipient of this message, you
are hereby notified that any use, dissemination, distribution or
reproduction of this message is prohibited. If you have received this
message in error please notify the sender immediately via email and then
destroy this message and any attachments.

Any views expressed in this message are those of the individual sender
and may not necessarily reflect the views of Winstone Pulp International
Ltd.

Tom Eastep

2004-Nov-25 03:52 UTC

head link

Re: Logfile entry query

On Thu, 2004-11-25 at 16:20 +1300, Dave Green wrote:> Tom Eastep wrote:
> 
> >On Thu, 2004-11-25 at 14:59 +1300, Dave Green wrote:
> >  
> Ok, thanks for the pointer, apologies for not scanning through there to 
> begin with. After reading the faq I checked icmp type=11 and now 
> understand what the bracketed fragment is referring to. I don''t 
> understand why the packet is being dropped though as I have an accept 
> line for incoming traffic to host 10.0.0.10 for all protocols as my 
> first rule. My configs are listed below.
Dave,

Without the output of "shorewall status", I can''t tell you.
The
treatment of ICMP packets in the INVALID state changed sometime between
1.4.0 and now (you can look it up in the news archives) and I think that
change may apply to your problem (e.g., if you upgrade the messages go
away) but that is only a guess. Note that the Shorewall version is the
FIRST thing in the list of information that I ask for in any problem
report (http://shorewall.net/support.htm).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Dave Green

2004-Nov-25 19:47 UTC

head link

Re: Logfile entry query

Tom Eastep wrote:
>On Thu, 2004-11-25 at 16:20 +1300, Dave Green wrote:
>  
>
>>Tom Eastep wrote:
>>
>>    
>>
>>>On Thu, 2004-11-25 at 14:59 +1300, Dave Green wrote:
>>> 
>>>      
>>>
>
>  
>
>>Ok, thanks for the pointer, apologies for not scanning through there to 
>>begin with. After reading the faq I checked icmp type=11 and now 
>>understand what the bracketed fragment is referring to. I don''t
>>understand why the packet is being dropped though as I have an accept 
>>line for incoming traffic to host 10.0.0.10 for all protocols as my 
>>first rule. My configs are listed below.
>>    
>>
>
>Dave,
>
>Without the output of "shorewall status", I can''t tell
you. The
>treatment of ICMP packets in the INVALID state changed sometime between
>1.4.0 and now (you can look it up in the news archives) and I think that
>change may apply to your problem (e.g., if you upgrade the messages go
>away) but that is only a guess. Note that the Shorewall version is the
>FIRST thing in the list of information that I ask for in any problem
>report (http://shorewall.net/support.htm).
>
>-Tom
>  
>Ok, here''s the output.

The firewall net interface is 10.200.0.1 and the gateway is 10.200.0.2 
which is a cisco frame relay router which does the NATing. I also have 
an ntop monitor box on this segment at 10.200.0.5


TERM environment variable not set.
Shorewall-1.4.9 Status at millgate - Fri Nov 26 08:26:21 NZDT 2004

Counters reset Wed Nov 17 08:09:58 NZDT 2004

Chain INPUT (policy DROP 1 packets, 202 bytes)
 pkts bytes target     prot opt in     out     source               destination
   16   800 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
 105K   22M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 138K   17M eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
   32  1316 eth2_in    all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
  14M 1167M eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  15M   13G eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
3180K 2044M eth2_fwd   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   16   800 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
85891 6709K fw2mill    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
25767 4853K fw2ctrl    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
  171 11176 fw2net     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
  753 42510 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  706 34012 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (8 references)
 pkts bytes target     prot opt in     out     source               destination
   78  4632 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
   27  7698 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
 4332  191K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
   18   864 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       icmp --  *      *       0.0.0.0              0.0.0.0/0
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0
  729 44247 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x10/0x10
 1288 51520 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x04/0x04
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x01/0x01
    0     0 DROP       all  --  *      *       0.0.0.0/0           
10.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
10.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
10.200.255.255

Chain ctrl2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:67
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:68
  911  268K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:67
  911  299K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:68
 136K   17M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ctrl2mill (1 references)
 pkts bytes target     prot opt in     out     source               destination
  15M   13G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:67
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:68
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:67
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:68
  224 13440 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 6642  568K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ctrl2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
 448K   74M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:67
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:68
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:67
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:68
 5080  386K ACCEPT     all  --  *      *       0.0.0.0/0           
132.163.4.101      state NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
132.163.135.130    state NEW
 5071  385K ACCEPT     all  --  *      *       0.0.0.0/0           
132.163.4.103      state NEW
 4854  369K ACCEPT     all  --  *      *       0.0.0.0/0           
132.163.4.102      state NEW
   26  2000 ACCEPT     all  --  *      *       10.1.0.219          
202.135.231.23     state NEW
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpts:4661:4665 LOG flags 0 level 6 prefix
`Shorewall:ctrl2net:DROP:''
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpts:4661:4665
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:4661:4665 LOG flags 0 level 6 prefix
`Shorewall:ctrl2net:DROP:''
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:4661:4665
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:1214 LOG flags 0 level 6 prefix
`Shorewall:ctrl2net:DROP:''
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:1214
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:1214 LOG flags 0 level 6 prefix
`Shorewall:ctrl2net:DROP:''
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:1214
  753 42510 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
 249K   13M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
  11M  687M mill2ctrl  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
2695K  480M mill2net   all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
 101K   22M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
 105K   22M mill2fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
22650 1767K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
  15M   13G ctrl2mill  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
 464K   75M ctrl2net   all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
 138K   17M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
 138K   17M ctrl2fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
20936 2200K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
2873K 1993M net2mill   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
 307K   50M net2ctrl   all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   32  1316 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
   32  1316 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2ctrl (1 references)
 pkts bytes target     prot opt in     out     source               destination
25767 4853K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2mill (1 references)
 pkts bytes target     prot opt in     out     source               destination
85800 6685K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   91 24223 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   444 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpts:4661:4665 LOG flags 0 level 6 prefix
`Shorewall:fw2net:DROP:''
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpts:4661:4665
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:4661:4665 LOG flags 0 level 6 prefix
`Shorewall:fw2net:DROP:''
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:4661:4665
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:1214 LOG flags 0 level 6 prefix
`Shorewall:fw2net:DROP:''
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:1214
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:1214 LOG flags 0 level 6 prefix
`Shorewall:fw2net:DROP:''
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:1214
  162 10732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain mill2ctrl (1 references)
 pkts bytes target     prot opt in     out     source               destination
  11M  685M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.202  
state NEW tcp dpt:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.202  
state NEW tcp dpts:1000:5000
   28  1344 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.208  
state NEW tcp dpt:139
  196  9396 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.208  
state NEW tcp dpts:1000:5000
 7028  337K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.203  
state NEW tcp dpt:135
  230 11008 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.203  
state NEW tcp dpts:1028:1200
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.204  
multiport dports 135,1028 state NEW
    2    88 ACCEPT     all  --  *      *       0.0.0.0/0            10.1.0.205  
state NEW
    0     0 ACCEPT     tcp  --  *      *       10.0.0.253           10.1.0.216  
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       10.0.0.99            10.1.0.216  
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       10.0.1.33            10.1.0.216  
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       10.0.0.63            10.1.0.216  
state NEW tcp dpt:80
    0     0 ACCEPT     all  --  *      *       10.0.1.25            10.1.0.215  
state NEW
    0     0 ACCEPT     tcp  --  *      *       10.0.0.253           0.0.0.0/0   
multiport dports 23,80 state NEW
   27  1080 ACCEPT     udp  --  *      *       10.0.0.99            0.0.0.0/0   
state NEW udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       10.0.0.253           10.1.0.203  
state NEW
    0     0 ACCEPT     tcp  --  *      *       10.0.0.10            10.1.0.203  
state NEW
 8681  729K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 4350  191K common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:mill2ctrl:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain mill2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3493  301K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
 101K   22M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain mill2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
2466K  469M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
 1710 82080 ACCEPT     tcp  --  *      *       10.0.0.10            0.0.0.0/0   
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       10.0.1.30            0.0.0.0/0   
state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       10.0.0.99            0.0.0.0/0   
state NEW tcp dpt:25
    6   288 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:25 LOG flags 0 level 6 prefix
`Shorewall:mill2net:DROP:''
    6   288 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:25
29011 1876K ACCEPT     all  --  *      *       10.0.0.99            0.0.0.0/0   
state NEW
79012 3319K reject     all  --  *      *       0.0.0.0/0            xx.xx.xx.xx 
state NEW
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpts:4661:4665 LOG flags 0 level 6 prefix
`Shorewall:mill2net:DROP:''
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpts:4661:4665
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:4661:4665 LOG flags 0 level 6 prefix
`Shorewall:mill2net:DROP:''
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpts:4661:4665
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:1214 LOG flags 0 level 6 prefix
`Shorewall:mill2net:DROP:''
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:1214
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:1214 LOG flags 0 level 6 prefix
`Shorewall:mill2net:DROP:''
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:1214
 119K 6256K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2ctrl (1 references)
 pkts bytes target     prot opt in     out     source               destination
 307K   50M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   14   672 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.193  
state NEW tcp dpt:xx
    8   240 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.193  
state NEW udp dpt:xx
   15   720 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.1.71   
state NEW tcp dpt:xx
    5   150 ACCEPT     udp  --  *      *       0.0.0.0/0            10.1.1.71   
state NEW udp dpt:xx
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2ctrl:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   32  1316 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2mill (1 references)
 pkts bytes target     prot opt in     out     source               destination
2852K 1991M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
 3324  172K ACCEPT     all  --  *      *       0.0.0.0/0            10.0.0.10   
state NEW
    4   208 ACCEPT     all  --  *      *       0.0.0.0/0            10.0.0.1    
state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW tcp dpt:xx
   14   748 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW tcp dpt:xx
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW tcp dpt:xx
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW tcp dpt:xx
   28  1438 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW tcp dpt:xx
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW tcp dpts:xx
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW udp dpt:xx
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW udp dpt:xx
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW udp dpt:xx
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW udp dpt:xx
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW udp dpt:xx
   17   714 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW udp dpts:xx
    0     0 ACCEPT     all  --  *      *       10.200.0.5           0.0.0.0/0   
state NEW
  218 21425 ACCEPT     all  --  *      *       10.200.0.2           0.0.0.0/0   
state NEW
15323 1908K DROP       all  --  *      *       0.0.0.0/0            10.0.0.99   
state NEW
 2042 98217 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
   77  4566 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2mill:DROP:''
   77  4566 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
79012 3319K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Nov 25 11:03:11 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0 SRC=218.1.5.2
DST=10.0.0.10 LEN=168 TOS=0x00 PREC=0x00 TTL=242 ID=45840 PROTO=ICMP TYPE=11
CODE=0 [SRC=10.0.0.10 DST=218.83.155.234 LEN=48 TOS=0x00 PREC=0x00 TTL=2
ID=13591 DF PROTO=TCP SPT=30815 DPT=80 WINDOW=64778 RES=0x00 SYN URGP=0 ]
Nov 25 11:06:51 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.129.94.42 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=50 ID=65221
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=61.152.188.35 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 11:08:02 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.96.117.50 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=241 ID=0
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=202.101.167.133 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 11:16:54 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.152.83.6 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=13591 DF
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=61.152.96.55 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 11:17:36 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.152.83.6 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=13591 DF
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=61.152.96.55 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 11:20:49 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.96.117.50 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=241 ID=0
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=202.101.167.133 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=13591 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 16:21:13 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.132.220.1 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=9465
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=202.101.167.133 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=27414 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 16:38:12 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.97.39.82 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=35378
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=202.101.167.133 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=25174 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 20:41:12 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.132.220.1 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=52761
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=218.83.155.234 LEN=48 TOS=0x00
PREC=0x00 TTL=0 ID=21012 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 20:46:02 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.132.220.1 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=44836
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=202.101.167.133 LEN=48 TOS=0x00
PREC=0x00 TTL=0 ID=21012 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 20:46:14 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.132.220.1 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=64826
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=61.152.188.35 LEN=48 TOS=0x00
PREC=0x00 TTL=0 ID=21012 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 21:03:13 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.132.220.1 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=15291
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=61.152.96.55 LEN=48 TOS=0x00
PREC=0x00 TTL=0 ID=21012 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 22:07:26 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.97.23.26 DST=10.0.0.99 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=0 PROTO=ICMP
TYPE=11 CODE=0 [SRC=10.0.0.99 DST=202.101.167.133 LEN=48 TOS=0x00 PREC=0x00
TTL=1 ID=31567 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 25 22:19:43 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.129.95.126 DST=10.0.0.99 LEN=56 TOS=0x00 PREC=0x00 TTL=52 ID=51086
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.99 DST=61.152.188.35 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=31567 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 26 00:40:58 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=61.140.0.42 DST=10.0.0.99 LEN=56 TOS=0x00 PREC=0x00 TTL=246 ID=34588
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.99 DST=218.16.125.28 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=31567 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 26 01:01:30 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.97.39.113 DST=10.0.0.99 LEN=56 TOS=0x00 PREC=0x00 TTL=246 ID=19268
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.99 DST=202.101.167.133 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=44812 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 26 02:06:44 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.97.39.113 DST=10.0.0.99 LEN=56 TOS=0x00 PREC=0x00 TTL=246 ID=42251
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.99 DST=61.152.188.35 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=44812 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 26 03:55:23 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0 SRC=218.1.1.26
DST=10.0.0.99 LEN=168 TOS=0x00 PREC=0x00 TTL=240 ID=17323 PROTO=ICMP TYPE=11
CODE=0 [SRC=10.0.0.99 DST=218.83.155.170 LEN=48 TOS=0x00 PREC=0x00 TTL=1
ID=31567 DF PROTO=TCP SPT=30811 DPT=80 WINDOW=64351 RES=0x00 SYN URGP=0 ]
Nov 26 07:51:59 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.96.222.122 DST=10.0.0.99 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=0
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.99 DST=210.74.232.6 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=31567 DF PROTO=TCP INCOMPLETE [8 bytes] ]
Nov 26 08:11:41 Millgate Shorewall:net2mill:DROP:IN=eth2 OUT=eth0
SRC=202.97.39.113 DST=10.0.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=6825
PROTO=ICMP TYPE=11 CODE=0 [SRC=10.0.0.10 DST=218.16.125.28 LEN=48 TOS=0x00
PREC=0x00 TTL=1 ID=37460 DF PROTO=TCP INCOMPLETE [8 bytes] ]

NAT Table

Chain PREROUTING (policy ACCEPT 2329K packets, 247M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1014K packets, 60M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 199 packets, 38484 bytes)
 pkts bytes target     prot opt in     out     source               destination

Mangle Table

Chain PREROUTING (policy ACCEPT 122M packets, 55G bytes)
 pkts bytes target     prot opt in     out     source               destination
  33M   17G pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 1435K packets, 227M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 120M packets, 55G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 505K packets, 63M bytes)
 pkts bytes target     prot opt in     out     source               destination
 112K   12M outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 120M packets, 55G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
 1675  321K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
   41  2267 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2877  213K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    7   280 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
  212 10121 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
  236 17291 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
   41  2156 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
   41 43323 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 431958 ESTABLISHED src=10.0.0.20 dst=199.105.191.243 sport=2066
dport=80 src=199.105.191.243 dst=10.0.0.20 sport=80 dport=2066 [ASSURED] use=1
tcp      6 113 TIME_WAIT src=10.0.0.253 dst=10.0.0.248 sport=3254 dport=10000
src=10.0.0.248 dst=10.0.0.253 sport=10000 dport=3254 [ASSURED] use=1
udp      17 12 src=10.0.0.48 dst=10.0.255.255 sport=138 dport=138 [UNREPLIED]
src=10.0.255.255 dst=10.0.0.48 sport=138 dport=138 use=1
tcp      6 431999 ESTABLISHED src=10.0.0.80 dst=10.1.0.203 sport=1105 dport=1028
src=10.1.0.203 dst=10.0.0.80 sport=1028 dport=1105 [ASSURED] use=1
tcp      6 431960 ESTABLISHED src=10.0.0.20 dst=64.233.161.104 sport=2086
dport=80 src=64.233.161.104 dst=10.0.0.20 sport=80 dport=2086 [ASSURED] use=1
tcp      6 14 TIME_WAIT src=10.0.0.99 dst=203.167.247.162 sport=3338 dport=80
src=203.167.247.162 dst=10.0.0.99 sport=80 dport=3338 [ASSURED] use=1
tcp      6 83 TIME_WAIT src=10.0.0.20 dst=65.205.8.33 sport=2088 dport=80
src=65.205.8.33 dst=10.0.0.20 sport=80 dport=2088 [ASSURED] use=1
tcp      6 113 TIME_WAIT src=10.0.0.253 dst=10.0.0.248 sport=3255 dport=10000
src=10.0.0.248 dst=10.0.0.253 sport=10000 dport=3255 [ASSURED] use=1
udp      17 137 src=10.0.0.10 dst=202.27.184.3 sport=1125 dport=53
src=202.27.184.3 dst=10.0.0.10 sport=53 dport=1125 [ASSURED] use=1
tcp      6 36 TIME_WAIT src=10.0.0.20 dst=206.65.183.18 sport=2058 dport=80
src=206.65.183.18 dst=10.0.0.20 sport=80 dport=2058 [ASSURED] use=1
tcp      6 14 TIME_WAIT src=10.0.0.99 dst=203.167.247.164 sport=3340 dport=80
src=203.167.247.164 dst=10.0.0.99 sport=80 dport=3340 [ASSURED] use=1
tcp      6 18 TIME_WAIT src=10.0.0.99 dst=203.167.212.38 sport=3350 dport=80
src=203.167.212.38 dst=10.0.0.99 sport=80 dport=3350 [ASSURED] use=1
tcp      6 366282 ESTABLISHED src=10.0.0.71 dst=10.1.0.203 sport=1123 dport=1028
src=10.1.0.203 dst=10.0.0.71 sport=1028 dport=1123 [ASSURED] use=1
udp      17 14 src=10.1.0.203 dst=10.1.255.255 sport=137 dport=137 [UNREPLIED]
src=10.1.255.255 dst=10.1.0.203 sport=137 dport=137 use=1
tcp      6 431899 ESTABLISHED src=10.0.0.99 dst=168.143.175.215 sport=3309
dport=80 src=168.143.175.215 dst=10.0.0.99 sport=80 dport=3309 [ASSURED] use=1
tcp      6 431953 ESTABLISHED src=10.0.0.20 dst=210.55.6.143 sport=2070 dport=80
src=210.55.6.143 dst=10.0.0.20 sport=80 dport=2070 [ASSURED] use=1
tcp      6 431951 ESTABLISHED src=10.1.0.203 dst=10.0.0.1 sport=1221 dport=139
src=10.0.0.1 dst=10.1.0.203 sport=139 dport=1221 [ASSURED] use=1
tcp      6 189008 ESTABLISHED src=10.0.0.37 dst=216.239.57.147 sport=4374
dport=80 [UNREPLIED] src=216.239.57.147 dst=10.0.0.37 sport=80 dport=4374 use=1
tcp      6 431959 ESTABLISHED src=10.0.0.20 dst=208.184.36.131 sport=2074
dport=80 src=208.184.36.131 dst=10.0.0.20 sport=80 dport=2074 [ASSURED] use=1
tcp      6 428568 ESTABLISHED src=10.0.1.18 dst=10.1.0.208 sport=2555 dport=3000
src=10.1.0.208 dst=10.0.1.18 sport=3000 dport=2555 [ASSURED] use=1
tcp      6 41 TIME_WAIT src=10.0.1.2 dst=206.81.80.253 sport=1073 dport=80
src=206.81.80.253 dst=10.0.1.2 sport=80 dport=1073 [ASSURED] use=1
tcp      6 431951 ESTABLISHED src=10.1.0.203 dst=10.0.0.1 sport=1222 dport=139
src=10.0.0.1 dst=10.1.0.203 sport=139 dport=1222 [ASSURED] use=1
tcp      6 366281 ESTABLISHED src=10.0.1.59 dst=10.1.0.203 sport=1042 dport=1028
src=10.1.0.203 dst=10.0.1.59 sport=1028 dport=1042 [ASSURED] use=1
tcp      6 366280 ESTABLISHED src=10.0.0.88 dst=10.1.0.203 sport=1754 dport=1028
src=10.1.0.203 dst=10.0.0.88 sport=1028 dport=1754 [ASSURED] use=1
udp      17 10 src=10.0.1.59 dst=10.0.255.255 sport=138 dport=138 [UNREPLIED]
src=10.0.255.255 dst=10.0.1.59 sport=138 dport=138 use=1
tcp      6 17 TIME_WAIT src=10.0.0.99 dst=203.167.247.162 sport=3342 dport=80
src=203.167.247.162 dst=10.0.0.99 sport=80 dport=3342 [ASSURED] use=1
tcp      6 106 TIME_WAIT src=10.0.0.253 dst=219.89.116.208 sport=3253 dport=110
src=219.89.116.208 dst=10.0.0.253 sport=110 dport=3253 [ASSURED] use=1
tcp      6 79 TIME_WAIT src=10.0.0.20 dst=206.165.240.100 sport=2063 dport=80
src=206.165.240.100 dst=10.0.0.20 sport=80 dport=2063 [ASSURED] use=1
tcp      6 431953 ESTABLISHED src=10.0.0.20 dst=210.55.6.143 sport=2072 dport=80
src=210.55.6.143 dst=10.0.0.20 sport=80 dport=2072 [ASSURED] use=1
udp      17 4 src=10.1.0.212 dst=10.1.255.255 sport=138 dport=138 [UNREPLIED]
src=10.1.255.255 dst=10.1.0.212 sport=138 dport=138 use=1
tcp      6 18 TIME_WAIT src=10.0.0.99 dst=203.167.212.38 sport=3353 dport=80
src=203.167.212.38 dst=10.0.0.99 sport=80 dport=3353 [ASSURED] use=1
tcp      6 271950 ESTABLISHED src=10.0.0.99 dst=65.54.202.254 sport=2818
dport=80 [UNREPLIED] src=65.54.202.254 dst=10.0.0.99 sport=80 dport=2818 use=1
tcp      6 79 TIME_WAIT src=10.0.0.20 dst=206.165.240.100 sport=2064 dport=80
src=206.165.240.100 dst=10.0.0.20 sport=80 dport=2064 [ASSURED] use=1
tcp      6 14 TIME_WAIT src=10.0.0.99 dst=64.74.193.48 sport=3337 dport=80
src=64.74.193.48 dst=10.0.0.99 sport=80 dport=3337 [ASSURED] use=1
tcp      6 431953 ESTABLISHED src=10.0.0.20 dst=210.55.6.143 sport=2073 dport=80
src=210.55.6.143 dst=10.0.0.20 sport=80 dport=2073 [ASSURED] use=1
udp      17 163 src=10.1.0.203 dst=10.0.0.10 sport=137 dport=137 src=10.0.0.10
dst=10.1.0.203 sport=137 dport=137 [ASSURED] use=1
tcp      6 14 TIME_WAIT src=10.0.0.99 dst=203.167.247.164 sport=3344 dport=80
src=203.167.247.164 dst=10.0.0.99 sport=80 dport=3344 [ASSURED] use=1
tcp      6 78 TIME_WAIT src=10.0.0.20 dst=65.205.8.33 sport=2078 dport=80
src=65.205.8.33 dst=10.0.0.20 sport=80 dport=2078 [ASSURED] use=1
tcp      6 82 TIME_WAIT src=10.0.0.20 dst=202.222.25.29 sport=2087 dport=80
src=202.222.25.29 dst=10.0.0.20 sport=80 dport=2087 [ASSURED] use=1
tcp      6 14 TIME_WAIT src=10.0.0.99 dst=203.167.212.38 sport=3339 dport=80
src=203.167.212.38 dst=10.0.0.99 sport=80 dport=3339 [ASSURED] use=1
tcp      6 19 TIME_WAIT src=10.0.0.99 dst=203.167.247.164 sport=3333 dport=80
src=203.167.247.164 dst=10.0.0.99 sport=80 dport=3333 [ASSURED] use=1
tcp      6 428446 ESTABLISHED src=10.1.0.207 dst=10.0.0.1 sport=1025 dport=139
src=10.0.0.1 dst=10.1.0.207 sport=139 dport=1025 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=10.0.1.33 dst=10.1.0.203 sport=2632 dport=1028
src=10.1.0.203 dst=10.0.1.33 sport=1028 dport=2632 [ASSURED] use=1
tcp      6 92 TIME_WAIT src=10.0.1.33 dst=10.1.0.203 sport=2646 dport=135
src=10.1.0.203 dst=10.0.1.33 sport=135 dport=2646 [ASSURED] use=1
tcp      6 17 TIME_WAIT src=10.0.0.99 dst=203.167.247.162 sport=3346 dport=80
src=203.167.247.162 dst=10.0.0.99 sport=80 dport=3346 [ASSURED] use=1
udp      17 10 src=10.0.0.99 dst=203.97.100.254 sport=123 dport=123
src=203.97.100.254 dst=10.0.0.99 sport=123 dport=123 use=1
tcp      6 20 TIME_WAIT src=10.0.0.99 dst=203.167.247.162 sport=3334 dport=80
src=203.167.247.162 dst=10.0.0.99 sport=80 dport=3334 [ASSURED] use=1
tcp      6 21 TIME_WAIT src=10.0.0.99 dst=208.184.139.117 sport=3341 dport=80
src=208.184.139.117 dst=10.0.0.99 sport=80 dport=3341 [ASSURED] use=1
tcp      6 431968 ESTABLISHED src=10.1.0.219 dst=202.135.231.23 sport=1069
dport=10000 src=202.135.231.23 dst=10.1.0.219 sport=10000 dport=1069 [ASSURED]
use=1
tcp      6 87 TIME_WAIT src=10.0.0.20 dst=202.222.25.29 sport=2089 dport=80
src=202.222.25.29 dst=10.0.0.20 sport=80 dport=2089 [ASSURED] use=1
tcp      6 366281 ESTABLISHED src=10.0.0.80 dst=10.1.0.203 sport=4797 dport=1028
src=10.1.0.203 dst=10.0.0.80 sport=1028 dport=4797 [ASSURED] use=1
tcp      6 431954 ESTABLISHED src=10.0.0.20 dst=210.55.6.143 sport=2077 dport=80
src=210.55.6.143 dst=10.0.0.20 sport=80 dport=2077 [ASSURED] use=1
tcp      6 431958 ESTABLISHED src=10.0.0.20 dst=208.184.36.131 sport=2065
dport=80 src=208.184.36.131 dst=10.0.0.20 sport=80 dport=2065 [ASSURED] use=1
tcp      6 429910 ESTABLISHED src=10.0.0.80 dst=10.1.0.208 sport=1121 dport=3000
src=10.1.0.208 dst=10.0.0.80 sport=3000 dport=1121 [ASSURED] use=1
tcp      6 366282 ESTABLISHED src=10.0.1.18 dst=10.1.0.203 sport=1470 dport=1028
src=10.1.0.203 dst=10.0.1.18 sport=1028 dport=1470 [ASSURED] use=1
tcp      6 17 TIME_WAIT src=10.0.0.99 dst=203.167.247.164 sport=3348 dport=80
src=203.167.247.164 dst=10.0.0.99 sport=80 dport=3348 [ASSURED] use=1
tcp      6 13 TIME_WAIT src=10.0.0.99 dst=203.167.247.164 sport=3336 dport=80
src=203.167.247.164 dst=10.0.0.99 sport=80 dport=3336 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=10.0.1.59 dst=10.1.0.203 sport=4275 dport=1028
src=10.1.0.203 dst=10.0.1.59 sport=1028 dport=4275 [ASSURED] use=1
tcp      6 22 TIME_WAIT src=10.0.0.253 dst=203.96.152.6 sport=3212 dport=110
src=203.96.152.6 dst=10.0.0.253 sport=110 dport=3212 [ASSURED] use=1
tcp      6 366281 ESTABLISHED src=10.0.1.45 dst=10.1.0.203 sport=1171 dport=1028
src=10.1.0.203 dst=10.0.1.45 sport=1028 dport=1171 [ASSURED] use=1
tcp      6 13 TIME_WAIT src=10.0.0.99 dst=203.167.212.38 sport=3327 dport=80
src=203.167.212.38 dst=10.0.0.99 sport=80 dport=3327 [ASSURED] use=1
tcp      6 14 TIME_WAIT src=10.0.0.99 dst=203.167.212.38 sport=3343 dport=80
src=203.167.212.38 dst=10.0.0.99 sport=80 dport=3343 [ASSURED] use=1
tcp      6 6 TIME_WAIT src=10.0.0.99 dst=203.96.118.131 sport=3329 dport=80
src=203.96.118.131 dst=10.0.0.99 sport=80 dport=3329 [ASSURED] use=1
tcp      6 116 TIME_WAIT src=10.0.0.253 dst=10.0.0.248 sport=3265 dport=10000
src=10.0.0.248 dst=10.0.0.253 sport=10000 dport=3265 [ASSURED] use=1
tcp      6 18 TIME_WAIT src=10.0.0.99 dst=203.21.27.12 sport=3354 dport=80
src=203.21.27.12 dst=10.0.0.99 sport=80 dport=3354 [ASSURED] use=1
tcp      6 17 TIME_WAIT src=10.0.0.99 dst=203.167.247.162 sport=3349 dport=80
src=203.167.247.162 dst=10.0.0.99 sport=80 dport=3349 [ASSURED] use=1
tcp      6 79 TIME_WAIT src=10.0.0.20 dst=65.205.8.33 sport=2083 dport=80
src=65.205.8.33 dst=10.0.0.20 sport=80 dport=2083 [ASSURED] use=1
tcp      6 22 TIME_WAIT src=10.0.0.253 dst=203.96.152.6 sport=3213 dport=110
src=203.96.152.6 dst=10.0.0.253 sport=110 dport=3213 [ASSURED] use=1
tcp      6 95546 ESTABLISHED src=10.0.0.10 dst=202.37.228.50 sport=23 dport=9326
[UNREPLIED] src=202.37.228.50 dst=10.0.0.10 sport=9326 dport=23 use=1
tcp      6 76 TIME_WAIT src=10.0.0.20 dst=202.222.25.29 sport=2076 dport=80
src=202.222.25.29 dst=10.0.0.20 sport=80 dport=2076 [ASSURED] use=1
tcp      6 430700 ESTABLISHED src=10.0.1.11 dst=10.1.0.208 sport=3036 dport=3000
src=10.1.0.208 dst=10.0.1.11 sport=3000 dport=3036 [ASSURED] use=1
tcp      6 105 TIME_WAIT src=10.0.0.253 dst=10.0.0.248 sport=3250 dport=10000
src=10.0.0.248 dst=10.0.0.253 sport=10000 dport=3250 [ASSURED] use=1
tcp      6 431992 ESTABLISHED src=10.0.1.8 dst=207.46.106.53 sport=1102
dport=1863 src=207.46.106.53 dst=10.0.1.8 sport=1863 dport=1102 [ASSURED] use=1
tcp      6 18 TIME_WAIT src=10.0.0.99 dst=203.21.27.11 sport=3355 dport=80
src=203.21.27.11 dst=10.0.0.99 sport=80 dport=3355 [ASSURED] use=1
tcp      6 0 TIME_WAIT src=10.0.0.99 dst=64.74.193.48 sport=3328 dport=80
src=64.74.193.48 dst=10.0.0.99 sport=80 dport=3328 [ASSURED] use=1
udp      17 6 src=10.1.1.197 dst=132.163.4.101 sport=123 dport=123
src=132.163.4.101 dst=10.1.1.197 sport=123 dport=123 use=1
tcp      6 188925 ESTABLISHED src=10.0.0.37 dst=146.171.18.242 sport=4372
dport=80 [UNREPLIED] src=146.171.18.242 dst=10.0.0.37 sport=80 dport=4372 use=1
tcp      6 431818 ESTABLISHED src=10.0.1.33 dst=10.1.0.208 sport=2643 dport=3000
src=10.1.0.208 dst=10.0.1.33 sport=3000 dport=2643 [ASSURED] use=1
tcp      6 18 TIME_WAIT src=10.0.0.99 dst=203.167.247.164 sport=3351 dport=80
src=203.167.247.164 dst=10.0.0.99 sport=80 dport=3351 [ASSURED] use=1
tcp      6 429789 ESTABLISHED src=10.0.0.80 dst=10.1.0.208 sport=1109 dport=3000
src=10.1.0.208 dst=10.0.0.80 sport=3000 dport=1109 [ASSURED] use=1
tcp      6 431958 ESTABLISHED src=10.0.0.20 dst=208.184.36.159 sport=2069
dport=80 src=208.184.36.159 dst=10.0.0.20 sport=80 dport=2069 [ASSURED] use=1
udp      17 6 src=10.0.0.10 dst=255.255.255.255 sport=67 dport=68 [UNREPLIED]
src=255.255.255.255 dst=10.0.0.10 sport=68 dport=67 use=1
tcp      6 431957 ESTABLISHED src=10.0.0.20 dst=210.55.6.143 sport=2082 dport=80
src=210.55.6.143 dst=10.0.0.20 sport=80 dport=2082 [ASSURED] use=1
udp      17 6 src=10.0.0.10 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED]
src=255.255.255.255 dst=10.0.0.10 sport=67 dport=68 use=1
tcp      6 431999 ESTABLISHED src=10.0.0.88 dst=10.1.0.203 sport=1859 dport=1028
src=10.1.0.203 dst=10.0.0.88 sport=1028 dport=1859 [ASSURED] use=1
tcp      6 79 TIME_WAIT src=10.0.0.20 dst=63.211.210.221 sport=2085 dport=80
src=63.211.210.221 dst=10.0.0.20 sport=80 dport=2085 [ASSURED] use=1
tcp      6 63 TIME_WAIT src=203.97.144.162 dst=10.0.0.10 sport=2403 dport=25
src=10.0.0.10 dst=203.97.144.162 sport=25 dport=2403 [ASSURED] use=1
tcp      6 17 TIME_WAIT src=10.0.0.99 dst=203.167.212.38 sport=3347 dport=80
src=203.167.212.38 dst=10.0.0.99 sport=80 dport=3347 [ASSURED] use=1
tcp      6 432000 ESTABLISHED src=10.0.0.253 dst=10.0.0.248 sport=3269
dport=10000 src=10.0.0.248 dst=10.0.0.253 sport=10000 dport=3269 [ASSURED] use=2
tcp      6 12 TIME_WAIT src=10.0.0.99 dst=203.167.212.38 sport=3335 dport=80
src=203.167.212.38 dst=10.0.0.99 sport=80 dport=3335 [ASSURED] use=1
tcp      6 74 TIME_WAIT src=10.0.0.20 dst=65.205.8.33 sport=2071 dport=80
src=65.205.8.33 dst=10.0.0.20 sport=80 dport=2071 [ASSURED] use=1
udp      17 18 src=10.0.0.10 dst=10.0.255.255 sport=138 dport=138 [UNREPLIED]
src=10.0.255.255 dst=10.0.0.10 sport=138 dport=138 use=1
tcp      6 430772 ESTABLISHED src=10.0.1.18 dst=10.1.0.208 sport=1513 dport=3000
src=10.1.0.208 dst=10.0.1.18 sport=3000 dport=1513 [ASSURED] use=1

------------------------------------------------------------------------

Tom Eastep

2004-Nov-25 20:06 UTC

head link

Re: Logfile entry query

On Fri, 2004-11-26 at 08:47 +1300, Dave Green wrote:
> >
> Ok, here''s the output.
> 
> The firewall net interface is 10.200.0.1 and the gateway is 10.200.0.2 
> which is a cisco frame relay router which does the NATing. I also have 
> an ntop monitor box on this segment at 10.200.0.5
> Chain net2mill (1 references)
>  pkts bytes target     prot opt in     out     source              
destination
> 2852K 1991M ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          state RELATED,ESTABLISHED
>  3324  172K ACCEPT     all  --  *      *       0.0.0.0/0           
10.0.0.10          state NEW
>     4   208 ACCEPT     all  --  *      *       0.0.0.0/0           
10.0.0.1           state NEW
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>    14   748 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>    28  1438 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpts:xx
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>    17   714 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpts:xx
>     0     0 ACCEPT     all  --  *      *       10.200.0.5          
0.0.0.0/0          state NEW
>   218 21425 ACCEPT     all  --  *      *       10.200.0.2          
0.0.0.0/0          state NEW
> 15323 1908K DROP       all  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW
>  2042 98217 common     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>    77  4566 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:net2mill:DROP:''
>    77  4566 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0
You will notice that most of the rules in this chain are conditional on
the state of the connection being NEW. The packet that you are seeing
logged has state INVALID. 

As I mentioned earlier, Shorewall 2.2.0 removed the ''state
NEW'' from
these rules so INVALID state ICMP packets could be accepted by rules.

Since 2.0.0, there have been additional changes in this area:
>From 2.0.3 Release Notes:
        With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are
        now passed through the blacklisting chains. Without this change,
        it is not possible to blacklist hosts that are mounting certain
        types of ICMP-based DOS attacks.
        >From 2.0.6 Release Notes:
        ICMP packets that are in the INVALID state are now dropped by
        the Reject and Drop default actions. They do so using the new
        ''dropInvalid'' builtin action.

-Tom


-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Dave Green

2004-Nov-25 20:24 UTC

head link

Re: Logfile entry query

Tom Eastep wrote:
>On Fri, 2004-11-26 at 08:47 +1300, Dave Green wrote:
>
>  
>
>>Ok, here''s the output.
>>
>>The firewall net interface is 10.200.0.1 and the gateway is 10.200.0.2 
>>which is a cisco frame relay router which does the NATing. I also have 
>>an ntop monitor box on this segment at 10.200.0.5
>>    
>>
>
>  
>
>>Chain net2mill (1 references)
>> pkts bytes target     prot opt in     out     source              
destination
>>2852K 1991M ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0          state RELATED,ESTABLISHED
>> 3324  172K ACCEPT     all  --  *      *       0.0.0.0/0           
10.0.0.10          state NEW
>>    4   208 ACCEPT     all  --  *      *       0.0.0.0/0           
10.0.0.1           state NEW
>>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>>   14   748 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>>   28  1438 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpt:xx
>>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW tcp dpts:xx
>>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>>    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpt:xx
>>   17   714 ACCEPT     udp  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW udp dpts:xx
>>    0     0 ACCEPT     all  --  *      *       10.200.0.5          
0.0.0.0/0          state NEW
>>  218 21425 ACCEPT     all  --  *      *       10.200.0.2          
0.0.0.0/0          state NEW
>>15323 1908K DROP       all  --  *      *       0.0.0.0/0           
10.0.0.99          state NEW
>> 2042 98217 common     all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>>   77  4566 LOG        all  --  *      *       0.0.0.0/0           
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:net2mill:DROP:''
>>   77  4566 DROP       all  --  *      *       0.0.0.0/0           
0.0.0.0/0
>>    
>>
>
>You will notice that most of the rules in this chain are conditional on
>the state of the connection being NEW. The packet that you are seeing
>logged has state INVALID. 
>
>As I mentioned earlier, Shorewall 2.2.0 removed the ''state
NEW'' from
>these rules so INVALID state ICMP packets could be accepted by rules.
>
>Since 2.0.0, there have been additional changes in this area:
>
>>From 2.0.3 Release Notes:
>
>        With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are
>        now passed through the blacklisting chains. Without this change,
>        it is not possible to blacklist hosts that are mounting certain
>        types of ICMP-based DOS attacks.
>        
>>From 2.0.6 Release Notes:
>
>        ICMP packets that are in the INVALID state are now dropped by
>        the Reject and Drop default actions. They do so using the new
>        ''dropInvalid'' builtin action.
>
>-Tom
>
>
>  
>Thanks Tom, I''ll start reading up on the upgrade requirements.

I appreciate your really quick replies and help.

Dave


--------
CAUTION:
This message and any attachments contain privileged and confidential
information.  If you are not the intended recipient of this message, you
are hereby notified that any use, dissemination, distribution or
reproduction of this message is prohibited. If you have received this
message in error please notify the sender immediately via email and then
destroy this message and any attachments.

Any views expressed in this message are those of the individual sender
and may not necessarily reflect the views of Winstone Pulp International
Ltd.

Maybe Matching Threads

Search for more maybe matching threads

Shorewall users - Nov 2004 - Logfile entry query

Logfile entry query

Re: Logfile entry query

Re: Logfile entry query

Re: Logfile entry query

Re: Logfile entry query

Re: Logfile entry query

Re: Logfile entry query

Maybe Matching Threads