Shorewall users - Oct 2003 - Re: Shorewall-users Digest, Vol 10, Issue 85

> Message: 11
> Date: Tue, 30 Sep 2003 18:56:56 -0700 (Pacific Daylight Time)
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] FORWARD:REJECT messages in Shorewall
> To: Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
> Message-ID: <Pine.WNT.4.55.0309301853320.1996@TIPPER.shorewall.net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> On Tue, 30 Sep 2003, Nachman Yaakov Ziskind wrote:
> 
NZ| (Shorewall 1.4.4b; running the Mandrake edition.) Occasionally, usually
NZ| during a zone transfer, I get unusual Shorewall messages, like this:

NZ| Sep 30 20:30:08 yoreach kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
NZ| SRC=10.1.1.1 DST=10.1.1.230 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=21332 DF
NZ| PROTO=UDP SPT=4778 DPT=53 LEN=34

NZ| where the src is the DNS master, and the DST is the slave server.
What''s
NZ| weird about this is a) why is Shorewall/iptables filtering (or seeing?) 
NZ| packets remaining on the same interface; the FORWARD chain never shows up
NZ| in messages except for here, and c) my loc->loc policy is ACCEPT, anyway.

TE| a) With Shorewall 1.4.4b, loc->loc traffic is always allowed; however ...
TE| b) Shorewall never automatically generates rules to bounce packets back
TE| out the same interface that it came in on; you have to set the
"routeback"
TE| option on eth1 in order for it to do that.

Just did that. 

TE| I haven''t a clue why 10.1.1.1 is choosing to route traffic to
10.1.1.230
TE| through your firewall unless there is an incorrect netmask.

# netstat -rn
Routing tables
Destination      Gateway            Flags    Refs      Use  Interface
default          10.1.1.200         UGS         9  2693802  net0
10.1.1           10.1.1.1           UC          1        0  net0
10.1.1.1         127.0.0.1          UGHS        0        8  lo0
127.0.0.1        127.0.0.1          UH          6 29161485  lo0

Looks ok to me. More to the point, traffic between these two machines gets
through; e.g., I telnet from .1 to .230 all the time. This suggests to me that
only a very few packets wander off the reservation. Bad switch, maybe? ("I
buy
cheap hardware, and I''m proud of it!")

TE| Unless there is a static nat rule with target 10.1.1.230 and a
"Yes"  in
TE| the ALL INTERFACES column (which setting usually confuses people to no end
TE|  -- including me).

38.119.130.12   eth0            10.1.1.230      #salami web server

TE| I should modify that a bit -- Shorewall doesn''t create a rule to
handle
TE| traffic from an <interface>:<network> back to that same
interface and
TE| subnet unless the interface specifies the ''routeback''
option is specified
TE| for the <interface> in /etc/shorewall/interfaces or for the
TE| <interface>:<network> in /etc/shorewall/hosts.

Bottom line: should I leave in the routeback option, given that it only 
handles a very tiny problem, which really isn''t a problem at all? I.e.,
what''s the cost?

Thanks for your consideration,

NYZ

-- 
_________________________________________
Nachman Yaakov Ziskind, EA, LLM         awacs@egps.com
Attorney and Counselor-at-Law           http://ziskind.us
Economic Group Pension Services         http://egps.com
Actuaries and Employee Benefit Consultants

On Wed, 1 Oct 2003, Nachman Yaakov Ziskind wrote:
> 0
> 38.119.130.12   eth0            10.1.1.230      #salami web server
>
"Yes" is the default (badly chosen but I''ve retained it for
compatibility).

> TE| I should modify that a bit -- Shorewall doesn''t create a rule
to handle
> TE| traffic from an <interface>:<network> back to that same
interface and
> TE| subnet unless the interface specifies the ''routeback''
option is specified
> TE| for the <interface> in /etc/shorewall/interfaces or for the
> TE| <interface>:<network> in /etc/shorewall/hosts.
>
> Bottom line: should I leave in the routeback option, given that it only
> handles a very tiny problem, which really isn''t a problem at all?
I.e.,
> what''s the cost?
>
> Thanks for your consideration,
>
Suit yourself -- you are the one complaining about the messages.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net