Shorewall users - Feb 2004 - Debugging a log entry

(Upgrading from 1.4.4. to 1.4.10a; a failed upgrade to 1.4.10 [masq not
working] was the subject of another thread.) 

I copied all (to be precise rules, nat, interfaces, masq, params, policy &
zones) of my config files and made no changes. Restarting Shorewall was very
gratifying - no errors and everything seems to work. Except that I getting some
unexplained DROP''ed packets:

Feb 19 22:40:01 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
SRC=4.37.216.17 DST=10.1.1.1 LEN=82 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP
SPT=1024 DPT=53 LEN=62
Feb 19 22:40:13 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
SRC=212.104.130.9 DST=10.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=51 ID=47810
PROTO=UDP SPT=41006 DPT=53 LEN=51
Feb 19 22:40:21 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
SRC=198.235.216.114 DST=10.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=243 ID=57871 DF
PROTO=UDP SPT=51812 DPT=53 LEN=51

According to the docs (FAQ #17) I know that net2all is a policy (here:

"net            all     DROP     info")

which needs to be overridden by a rule. Except that there *is* a rule (two,
actually):

DNAT            net     loc:$SCO:1053   udp     53
DNAT            net     loc:$SCO:1053   tcp     53

(SCO=10.1.1.1 from params)

Now I know that Shorewall is loading them:

 Rule "DNAT net loc:10.1.1.1:1053 udp 53" added.
 Rule "DNAT net loc:10.1.1.1:1053 tcp 53" added.

or, from the trace (full trace upon request):

+ read first rest
+ [ xDNAT = xINCLUDE ]
+ echo DNAT net     loc:$SCO:1053   udp     53
+ read first rest
+ [ xDNAT = xINCLUDE ]
+ echo DNAT net     loc:$SCO:1053   tcp     53
+ read first rest
+ [ x = xINCLUDE ]
+ echo
+ read first rest


It''s possible, I suppose, that some earlier rule is cancelling out the
effect
of these rules - I scoured the entire rules file several times and
didn''t find
it, but maybe it''s there. :-( (I''m willing to post/mail the
rules - all 120 or
so, if that is necessary. But I looked really thoroughly. And it worked before
the upgrade.) 

More tantalizing, similar rules to another machine: 

DNAT            net     loc:$SALAMI     udp     53      -       38.119.130.12
DNAT            net     loc:$SALAMI     tcp     53      -       38.119.130.12

do function as intended. 

So, what I''m asking is, how do I debug this further? The rules worked
in 1.4.4,
and I''ve checked the FAQ and the upgrade issues, have I missed
something?

-- 
_________________________________________
Nachman Yaakov Ziskind, EA, LLM         awacs@egps.com
Attorney and Counselor-at-Law           http://ziskind.us
Economic Group Pension Services         http://egps.com
Actuaries and Employee Benefit Consultants

On Thursday 19 February 2004 08:16 pm, Nachman Yaakov Ziskind
wrote:
> (Upgrading from 1.4.4. to 1.4.10a; a failed upgrade to 1.4.10 [masq not
> working] was the subject of another thread.)
>
> I copied all (to be precise rules, nat, interfaces, masq, params, policy
&
> zones) of my config files and made no changes. Restarting Shorewall was
> very gratifying - no errors and everything seems to work. Except that I
> getting some unexplained DROP''ed packets:
>
> Feb 19 22:40:01 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
> SRC=4.37.216.17 DST=10.1.1.1 LEN=82 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF
> PROTO=UDP SPT=1024 DPT=53 LEN=62
> Feb 19 22:40:13 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
> SRC=212.104.130.9 DST=10.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=51 ID=47810
> PROTO=UDP SPT=41006 DPT=53 LEN=51
> Feb 19 22:40:21 yoreach kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
> SRC=198.235.216.114 DST=10.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=243 ID=57871
> DF PROTO=UDP SPT=51812 DPT=53 LEN=51
>
Please forward the output of "shorewall show nat" as an attachment.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net