Shorewall users - Jun 2004 - port forwarding troubles

I almost have this nailed down, I believe I''m missing something simple.
I''m running Linux LiveCD with Shorewall version 1.4.7 on a homebrew 
Celeron. Cable modem goes to Eth0, Eth1 goes to a 5 port Linksys switch. I 
have a Dell running XP connected to the switch, that''s all. I have full
internet connectivity on the Dell. However I use DC++ for P2P filesharing. 
DC++ requires one port for tcp and the same port for udp. I am getting a 
ton of udp packets through the firewall, but a very small trickle of tcp. 
Like in a few seconds, /shorewall show nat will say 3000 udp packets, and 
3 tcp packets. It is blocking all the search results of DC++. If I put 
DC++ in ''passive mode'', I get a lot of search results, but not
nearly as
many as when someone can connect via the ''active'' option.

Ok this is the output of ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
link/void
3: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast 
qlen 1000 link/ether 00:0c:41:e5:80:66 brd ff:ff:ff:ff:ff:ff
inet 12.217.165.119/24 brd 255.255.255.255 scope global eth0
inet6 fe80::20c:41ff:fee5:8066/64 scope link
4: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:ba:cf:e5:16 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
inet6 fe80::250:baff:fecf:e516/64 scope link
6: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
7: eql: <MASTER> mtu 576 qdisc noop qlen 5
link/slip
8: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
9: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
10: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0

output of ip route show:

192.168.1.0 dev eth1 scope link
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
12.217.165.0/24 dev eth0 proto kernel scope link src 12.217.165.119
127.0.0.0/8 dev lo scope link
default via 12.217.165.1 dev eth0

output of log:

Counters reset Sun Jun 13 12:39:38 AST 2004

Jun 13 12:04:04 net2all:DROP:IN=eth0 OUT= SRC=66.165.36.190 
DST=12.217.165.119 LEN=835 TOS=0x00 PREC=0x00 TTL=121 ID=15215 PROTO=UDP 
SPT=9932 DPT=1026 LEN=815
Jun 13 12:04:05 net2all:DROP:IN=eth0 OUT= SRC=66.184.253.206 
DST=12.217.165.119
LEN=835 TOS=0x00 PREC=0x00 TTL=121 ID=22641 PROTO=UDP SPT=13376 DPT=1027 
LEN=815
Jun 13 12:05:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:08:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:11:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:14:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:17:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:18:21 net2all:DROP:IN=eth0 OUT= SRC=12.217.165.119 
DST=67.65.253.243 LEN=837 TOS=0x00 PREC=0x00 TTL=115 ID=7497 PROTO=UDP 
SPT=7230 DPT=1028 LEN=817 ]
Jun 13 12:20:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:23:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:23:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:26:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:29:04 net2all:DROP:IN=eth0 OUT= SRC=218.57.50.216 
DST=12.217.165.119 LEN=759 TOS=0x00 PREC=0x00 TTL=115 ID=47762 PROTO=UDP 
SPT=20274 DPT=1026 LEN=739
Jun 13 12:29:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:30:58 logdrop:DROP:IN=eth0 OUT=eth1 SRC=83.88.202.210 
DST=192.168.1.3
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=13958 DF PROTO=TCP SPT=2707 DPT=587 
WINDOW=64240 RES=0x00 SYN URGP=0
Jun 13 12:31:01 logdrop:DROP:IN=eth0 OUT=eth1 SRC=83.88.202.210 
DST=192.168.1.3
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=13985 DF PROTO=TCP SPT=2707 DPT=587 
WINDOW=64240 RES=0x00 SYN URGP=0
Jun 13 12:31:07 logdrop:DROP:IN=eth0 OUT=eth1 SRC=83.88.202.210 
DST=192.168.1.3
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=14042 DF PROTO=TCP SPT=2707 DPT=587 
WINDOW=64240 RES=0x00 SYN URGP=0
Jun 13 12:32:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:35:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:38:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:41:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
Jun 13 12:44:25 logdrop:DROP:IN=eth0 OUT= SRC=192.168.100.1 DST=224.0.0.1 
LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2

and output of status.txt:

where <command> is one of:
add <interface>[:<host>] <zone>
allow <address> ...
check
clear
delete <interface>[:<host>] <zone>
drop <address> ...
help [ <command > | host | address ]
hits
ipcalc [ <address>/<vlsm> | <address> <netmask> ]
iprange <address>-<address>
logwatch [<refresh interval>]
monitor [<refresh interval>]
refresh
reject <address> ...
reset
restart
save
show [<chain> [ <chain> ...
]|classifiers|connections|log|nat|tc|tos]
start
stop
status
try <directory> [ <timeout> ]
version

Thanks for any help.

Austin wrote:
> However I use DC++ for P2P 
> filesharing. DC++ requires one port for tcp and the same port for udp. I 
> am getting a ton of udp packets through the firewall, but a very small 
> trickle of tcp. Like in a few seconds, /shorewall show nat will say 3000 
> udp packets, and 3 tcp packets.
That doesn''t tell you how many packets are going through your firewall;
it tells you how many "NEW" connections were made. Since almost every 
UDP exchange of packets results in a "NEW" connection, you would
expect
UDP counts to far outweigh TCP in the "nat" table.

It is blocking all the search results of
> DC++. If I put DC++ in ''passive mode'', I get a lot of
search results,
> but not nearly as many as when someone can connect via the
''active'' option.
I''m afraid that I will not be able to interpret those symptoms without 
spending my Sunday afternoon researching DC++; that''t not going to 
happen. If you can explain in IP terms what search results have to do 
with the DC++ "active" option then we might be able to help you.

I recommend that you add a DROP entry for 192.168.100.1 to your rfc1918 
file -- that will clean up your log considerably.

-Tom

PS -- the "status.txt" you posted contained the output of
"shorewall
help"!!!
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

junk wrote:
> 
> Well I''m happy now. I have a ''nothing gets in''
profile on both Shorewall
> and Trend Micro, and I get a Total Stealth rating from Shield''s
Up. Then
> I have a DC++ profile which opens up the one port. This is all I wanted,
> thanks for all your work on Shorewall. It works great.
You''re welcome -- glad that you found the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net