Shorewall users - Sep 2003 - FORWARD:REJECT messages in Shorewall

(Shorewall 1.4.4b; running the Mandrake edition.) Occasionally, usually during
a zone transfer, I get unusual Shorewall messages, like this:

Sep 30 20:30:08 yoreach kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
SRC=10.1.1.1 DST=10.1.1.230 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=21332 DF
PROTO=UDP SPT=4778 DPT=53 LEN=34

where the src is the DNS master, and the DST is the slave server.
What''s weird
about this is a) why is Shorewall/iptables filtering (or seeing?) packets
remaining on the same interface; the FORWARD chain never shows up in messages
except for here, and c) my loc->loc policy is ACCEPT, anyway.

This looks like "Other Gotchas" in "Things to try if it
doesn''t work" on the
Shorewall site; but I''m still confused; *of course* the two machines
are
connected to the same interface; they''re both in the local zone! And
I''m not
using a hosts file.

In proof of my diligent search for this answer, I''ll point out that the
link
for FAQ#30 is broken; it points to file:///vfat/Shorewall-docs/FAQ.htm#faq30,
which goes nowhere on my system.

Can anyone enlighten me on what''s going on here? The zone transfers
seem all
successful, by the way.

-- 
_________________________________________
Nachman Yaakov Ziskind, EA, LLM         awacs@egps.com
Attorney and Counselor-at-Law           http://ziskind.us
Economic Group Pension Services         http://egps.com
Actuaries and Employee Benefit Consultants

On Tue, 30 Sep 2003, Nachman Yaakov Ziskind wrote:
> (Shorewall 1.4.4b; running the Mandrake edition.) Occasionally, usually
during
> a zone transfer, I get unusual Shorewall messages, like this:
>
> Sep 30 20:30:08 yoreach kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
> SRC=10.1.1.1 DST=10.1.1.230 LEN=54 TOS=0x00 PREC=0x00 TTL=63 ID=21332 DF
> PROTO=UDP SPT=4778 DPT=53 LEN=34
>
> where the src is the DNS master, and the DST is the slave server.
What''s weird
> about this is a) why is Shorewall/iptables filtering (or seeing?) packets
> remaining on the same interface; the FORWARD chain never shows up in
messages
> except for here, and c) my loc->loc policy is ACCEPT, anyway.
>
a) With Shorewall 1.4.4b, loc->loc traffic is always allowed; however ...
b) Shorewall never automatically generates rules to bounce packets back
out the same interface that it came in on; you have to set the
"routeback"
option on eth1 in order for it to do that.


I haven''t a clue why 10.1.1.1 is choosing to route traffic to
10.1.1.230
through your firewall unless there is an incorrect netmask.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 30 Sep 2003, Tom Eastep wrote:
>
> I haven''t a clue why 10.1.1.1 is choosing to route traffic to
10.1.1.230
> through your firewall unless there is an incorrect netmask.
>
Unless there is a static nat rule with target 10.1.1.230 and a "Yes" 
in
the ALL INTERFACES column (which setting usually confuses people to no end
-- including me).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 30 Sep 2003, Tom Eastep wrote:
> b) Shorewall never automatically generates rules to bounce packets back
> out the same interface that it came in on; you have to set the
"routeback"
> option on eth1 in order for it to do that.
>
I should modify that a bit -- Shorewall doesn''t create a rule to handle
traffic from an <interface>:<network> back to that same interface
and
subnet unless the interface specifies the ''routeback'' option
is specified
for the <interface> in /etc/shorewall/interfaces or for the
<interface>:<network> in /etc/shorewall/hosts.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net