Joe,
On Mon, 8 Apr 2002, Joe Van Andel wrote:
> I''m seeing RPC traffic rejected.
> /var/log/messages shows:
>
> Apr 8 21:44:36 ops-zebra kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
MAC=00:10:5a:75:b0:07:08:00:20:90:07:05:08:00 SRC=128.117.78.15
> DST=128.117.78.67 LEN=56 TOS=0x00 PREC=0x00 TTL=255 ID=45672 DF
> PROTO=UDP SPT=111 DPT=39164 LEN=36
>
This is a port mapper UDP reply to the firewall.
> where 128.117.78.67 is my firewall machine. I''m trying to allow
RPC
> traffic, since rules contains:
> ACCEPT net $FW tcp portmapper
> ACCEPT net $FW udp portmapper
> ACCEPT $FW net tcp portmapper
> ACCEPT $FW net udp portmapper
>
> /etc/shorewall/firewall status shows
> Chain net2fw (1 references)
> pkts bytes target prot opt in out source
> destination
>
> 5 640 ACCEPT udp --- * * 0.0.0.0/0
> 0.0.0.0/0
> state NEW udp dpt:111
>
> Chain fw2net (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT udp --- * * 0.0.0.0/0
> 0.0.0.0/0
> state NEW udp dpt:111
>
> Is it possible to configure shorewall to allow RPC traffic? (I searched
> the site and mail archives, and didn''t come up with any advice.)
>
There used to be an RPC connection tracking/NAT module in NetFilter but I
personally could never get it to work. Without such a module (and one that
actually works), you will never get any useful results from any
NetFilter-based firewall (including Shorewall).
What RPC-based application are you trying to use through your firewall?
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net