search for: net2dmz

...at I am dropping all packets from the net 2 dmz named service. My question is why would I get these all the time, they are from multiple different sites. Are they trying to do something to my host or is this a common occurance? -------- cut ---------- Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37389 DF PROTO=UDP SPT=9166 DPT=53 LEN=36 Oct 20 23:16:17 iprouter kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=eth2 SRC=213.136.52.31 DST=xx.xx.xx.xx LEN=56 TOS=0x00 PREC=0x00 TTL=39 ID=37403 DF PROTO=UDP SP...

...DROP info 8/sec:30 -------------------------------------- I see some drops in the logs, which results in some timeouts. Although most of the traffic from 94.23.242.44 is well redirected to 10.0.0.7. -------------------------------------- Jan 20 19:24:29 ks309069 kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=vmbr0 SRC=74.127.214.2 DST=10.0.0.7 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=7235 DF PROTO=TCP SPT=49967 DPT=80 WINDOW=32768 RES=0x00 SYN URGP=0 Jan 20 19:24:40 ks309069 kernel: Shorewall:net2dmz:DROP:IN=eth0 OUT=vmbr0 SRC=90.26.201.69 DST=10.0.0.7 LEN=48 TOS=0x00 PREC=0x00 TTL=11...

...state NEW 8 400 nobogons all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 18 2881 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 55 9423 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 blacklst a...

...es target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2all a...

...resetting the counters at intervals of 1 or 2 hours, I''m thinking of writing a perl data collection script that would parse the output of iptables and store data into an sql database with a timestamp and reset the counters for the in and out chains of the firewall (dmz2net loc2net net2loc net2dmz for example) After that, it''s just a question of querying collected data from the sql database using built-in stat functions. I''m assuming that the byte counters are correct, is there something I''m missing? This would be a great add-on to shorewall, no? Any feedback w...

...prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 net2ursa all -- * xenbr0 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif0.0 0 0 net2dmz all -- * xenbr0 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif+ 0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 0...

...0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 302K 170M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 122K 70M net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 180K 100M net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 299K 333M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 299K 333M net2fw all -- * * 0.0.0.0/0 0.0...

....0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 34 15323 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 34 15323 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 65 8740 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 65 8740 blacklst all -- * *...

...0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 302K 170M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 122K 70M net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 180K 100M net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 299K 333M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 299K 333M net2fw all -- * * 0.0.0.0/0 0.0...

Hi My situation: I have two pc''s with public ip''s (192.159.56.206(webserver) and 84.196.123.65(mail-gateway)) in the dmz. The firewall (84.196.123.66) is configures with proxyarp, so nothing is changed on the pc''s from when they were not behind the firewall (i.e. they don''t have the firewall as gateway (and they each have different gateways, only 84.196.123.65

Hi, I''ve to restart shorewall when my dynamic IP was changed from my ISP. Of course i can with a shell script do it automatically, but the question is still there.. why ? mess-mate -- "I understand this is your first dead client," Sabian was saying. The absurdity of the statement made me want to laugh but they don''t call me Deadpan

..." added. Rule "ACCEPT dmz svr tcp ftp" added. Rule "ACCEPT dmz net tcp ntp" added. Rule "DNAT net dmz:192.168.2.3 tcp smtp" added. Processing /etc/shorewall/policy... Policy ACCEPT for fw to svr using chain fw2svr Policy ACCEPT for net to dmz using chain net2dmz Policy ACCEPT for wst to net using chain wst2net Policy REJECT for dmz to net using chain all2all Policy REJECT for dmz to svr using chain all2all Policy ACCEPT for svr to fw using chain svr2fw Policy ACCEPT for svr to net using chain svr2net Policy ACCEPT for svr to wst using chain svr...

...5 1800 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 35 1800 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 net2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0 42 2332 net2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 102 6434 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 102 6434 blacklst...

I apologize for the first message. :) --------------------------------------- I have an FTP server running in the DMZ section of my home network. It uses port 23000 for connection and ports 19990 to 19994 for data transfer. I have setup the following rule for outside people to connect to it: DNAT net dmz:192.168.2.2 tcp 23000 I''m at work right now and I can''t use

...n 182 10988 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 182 10988 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 43153 9147K net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 798 375K net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 39 3792 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 ACCEPT...

...0.0.0.0/0 413 61925 rfc1918 ah -- * * 0.0.0.0/0 0.0.0.0/0 413 61925 blacklst ah -- * * 0.0.0.0/0 0.0.0.0/0 259 38487 net2loc ah -- * eth1 0.0.0.0/0 0.0.0.0/0 154 23438 net2dmz ah -- * eth2 0.0.0.0/0 0.0.0.0/0 0 0 net2all ah -- * eth3 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 22 3068 dynamic a...

...s) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 17 1080 net2loc all -- * br0 0.0.0.0/0 0.0.0.0/0 0 0 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 10 930 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 4...

This is a minor release of Shorewall. WARNING: This release introduces incompatibilities with prior releases. See http://www.shorewall.net/upgrade_issues.htm. Changes are: a) There is now a new NONE policy specifiable in /etc/shorewall/policy. This policy will cause Shorewall to assume that there will never be any traffic between the source and destination zones. b) Shorewall no longer