search for: physin

...-log-ip-options --log-prefix --FILTER-FORWARD-- iptables -t filter -A PREROUTING -p icmp -j LOG --log-ip-options --log-prefix --NAT-PREROUTING-- iptables -t filter -A POSTROUTING -p icmp -j LOG --log-ip-options --log-prefix --NAT-POSTROUTING-- Oct 25 00:19:42 host3 --NAT-PREROUTING--IN=bridge OUT= PHYSIN=eth0 MAC=00:e0:4c:ff:02:5e:00:0a:95:f5:1b:fc:08:00 SRC=10.22.2.4 DST=212.27.33.225 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=2197 PROTO=ICMP TYPE=8 CODE=0 ID=233 SEQ=0 Oct 25 00:19:42 host3 --FILTER-FORWARD--IN=bridge OUT=bridge PHYSIN=eth0 PHYSOUT=eth1 SRC=10.22.2.4 DST=212.27.33.225 LEN=84 TOS=0x00 PR...

...N/DOM0-Bridge. If I boot Windows without /GPLPV option, everything works fine. I did some investigation and found out that the packages arrive differently if GPLPV is enabled. "br_inet" is a bridge connected to the DSL router via peth1. With /GPLPV: iptables log: IN=br_inet OUT=br_inet PHYSIN=tap3 PHYSOUT=peth1 SRC=10.10.11.250 DST=209.85.129.99 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=465 DF PROTO=TCP SPT=1050 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 => Those packets are never forwarded to peth1. To be sure I verified this by using port mirroring on the switch that connects peth1 with...

...my network setup @ https://aequorin.homeunix.net:62389/local/media/network-graph.png) 1) These are the syslog entries for some simple connection tests. Shorewall/netfilter has been set to record all stateful connections SSH is recognized as phys(eth0) -> $FW traffic. This is because PHYSIN is set. Why is this? Why is SSH not lan(br0) -> $FW ? You mentioned that unless the physdev flag is set, shorewall only cares about lan(br0) <-> $FW Why does PHYSIN get set for SSH ? ping(server->lan) Sep 14 23:42:45 veridian kernel: [618269.196281] Shorewall:fw2lan:ACCE...

....htm,then i change the configuration for eable openvpn with the instructions present here : http://shorewall.net/OPENVPN.html but now the vpn does not work and in the file log there is for example information like this : Dec 1 15:38:57 dnsprova kernel: Shorewall:all2all:REJECT:IN=br0 OUT=eth1 PHYSIN=eth0 SRC=192.168.10.221 DST=62.123.105.181 LEN=50 TOS=0x00 PREC=0x00 TTL=127 ID=1176 PROTO=UDP SPT=1045 DPT=53 LEN=30 How I can configure shorewall to permit my vpn ? Configuration on FIREWALL B : /etc/shorewall/interfaces : net eth1 detect tcpflags,dhcp,routefilter,norfc...

...e bridge to wlan0: Oct 6 17:05:46 cassini kernel: [ 2696.527510] IN=wlan0 OUT=eth0 SRC=192.168.200.10 DST=192.168.100.100 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=27165 DF PROTO=TCP SPT=59444 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 6 17:05:46 cassini kernel: [ 2696.527588] IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0 PHYSOUT=peth0 SRC=192.168.200.10 DST=192.168.100.100 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=27165 DF PROTO=TCP SPT=59444 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 6 17:05:46 cassini kernel: [ 2696.527829] IN=xenbr0 OUT=xenbr0 PHYSIN=peth0 PHYSOUT=vif0.0 SRC=192.168.100.100 DST=192.168.200...

...ply times out, logging reveals they're not getting forwarded. We've added logging to iptables and testing in promisc mode vs. not-promisc: This is what gets logged when virbr0 is not in promisc mode: > Feb 11 19:12:31 hyper kernel: [199815.004207] prerouting imaps: > IN=virbr0 OUT= PHYSIN=vnet0 > MAC=fe:54:00:17:c8:2a:52:54:00:17:c8:2a:08:00 SRC=192.168.122.151 > DST=a.b.c.d.145 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=40689 DF > PROTO=TCP SPT=43460 DPT=993 WINDOW=29200 RES=0x00 SYN URGP=0 And this when the device is in promisc mode: > Feb 11 19:14:33 hyper kernel: [199937...

...tcp flags:0x06/0x06 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x16/0x02 Jun 27 16:30:08 loc2road:ACCEPT:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=tap2 SRC=192.168.3.10 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=46363 PROTO=UDP SPT=137 DPT=137 LEN=58 Jun 27 16:30:08 loc2road:ACCEPT:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=tap1 SRC=192.168.3.10 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=46363 PROTO=UDP SPT=13...

Dear All, I try to upgrade, my old shorewall from 4.4.13-3 to 4.5.2.3-1 on CentOS, after upgrade i can''t start shorewall with this message: "/Shorewall: Address Ranges require the Multiple Match capability in your kernel and iptables/" I try to search on the net about this, but no still no light. Somebody can help me? Great appreciate for any help. Regards,

The bridging documentation (http://shorewall.net/2.0/bridge.html) has been expanded and there is a refresh of the bridging code (ftp://shorewall.net/pub/shorewall/Bridging and http://shorewall.net/pub/shorewall/Bridging). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

...; doc docker0 tcpflags,nosmurfs,logmartians,bridge,routeback,optional and "policy" like so >doc net ACCEPT However, when firing up an container and trying to acces the web, "shorewall logwatch" is giving me entries like >doc2net:REJECT:IN=docker0 OUT=eth0 PHYSIN=veth3sm8hc SRC=172.17.0.7 DST=192.168.100.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=19346 DF PROTO=UDP SPT=52963 DPT=53 LEN=48 Can anyone hint at what else I need? Docker generates on the fly a interface like so: vethuZdLHZ Link encap:Ethernet HWaddr fe:65:f2:16:ef:60 UP BROADCAST RUNN...

...br0:vif+ net xen-br0:peth0 *************************************************** So, the problem is that I don''t have peth0 (maybe because i''m using network-route). In fact, If I try to contact dom0 or any domU, in the log I see: Shorewall:FORWARD:REJECT:IN=xen-br0 OUT=xen-br0 PHYSIN=eth0 PHYSOUT=vif1.0 How can I intercept packet from eth0 in this case? :(( the "net" interface seems to ignore eth0 -- Davide Corio davide.corio@redomino.com Redomino S.r.l. C.so Monte Grappa 90/b - 10145 Torino - Italy Tel: +39 011 19502871...

...(tunnel0) configured on top of a bridge (br0). Everything works fine but when I try to create firewall rules base on traffic that should go through tunnel0, the rule is not match. I have activated LOG for this particular issue and here is how the traffic is percieved by iptables : IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=eth1 SRC=10.35.8.46 DST=10.10.30.251 LEN=84 TOS=0x00 PREC=0x00 TTL=61 ID=1 DF PROTO=ICMP TYPE=8 CODE=0 ID=61218 SEQ=1 IN=br0 OUT=tunnel0 PHYSIN=eth1 SRC=10.10.30.251 DST=10.35.8.46 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=26665 PROTO=ICMP TYPE=0 CODE=0 ID=61218 SEQ=1 traffic in is seen on...

Hi Vene, Would appreciate any help you can give as I am not sure which NAT you are talking about. A little more background. I am replacing a Windows 2000 routing and remote access machine that was acting as the gateway and performing NAT for Internet access for our local clients. In this setup the cisco VPN clients had no problem connecting to the vpn concentrator. The only difference in any

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=479 ------- Additional Comments From kaber@trash.net 2006-05-22 14:42 MET ------- It is not entirely clear what you are trying to show with that LOG line. How is the traffic flowing, what do you expect? And why is it visible in plaintext on the br0 device? Please also include your kernel version. -- Configure bugmail:

...setup and give me some input into the proper way to set this up so that I can do all the normal Shorewall things properly like blocking like normal, port forwards, etc. ? I think my current setup mostly works, but I''m seeing messages like: Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0 PHYSOUT=vmtab102i0 SRC=10.10.42.3 DST=10.10.42.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61722 DF PROTO=TCP SPT=47118 DPT=3260 WINDOW=5840 RES=0x00 SYN URGP=0 (some of these are from external machines to a virtual machine and mention eth1 as the physical - this one is both virtual m...

Hey folks; I have been happily using shorewall for quite some time so this problem _may_ not be easy to resolve but I am interested in any information regarding your experience with the same setup. I was using FC3 with shorewall 2.2.3 and two NICs setup as a bridge without any issue until I upgraded to FC4. My production system would pass traffic through the bridge but local usage would not

...worked ok when I tried to telnet a port on a remote machine (192.168.0.1) from the local machine (192.168.0.2), concretelly the test was a telnet to port 22 where the ssh daemon was listening. However, when I did the same test using the br0 interface, I got this logged: NOTESTABLISHED IN=br0 OUT= PHYSIN=eth0 MAC=00:50:ba:54:39:8c:00:48:54:6a:58:90:08:00 SRC=192.168.0.1 DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 DPT=48448 WINDOW=5792 RES=0x00 ACK SYN URGP=0 doing a grep for 192.168.0.1 on /proc/net/ip_conntrack* returned nothing, however netstat showed the connectio...

...uting problems: Feb 20 18:31:36 intel6550 kernel: martian source 217.237.149.142 from 192.168.0.4, on dev eth1 Feb 20 18:31:36 intel6550 kernel: ll header: 00:a0:24:29:5b:25:00:60:b0:67:2a:af:08:00 or on my own firewall-rules: Feb 20 18:36:46 intel6550 kernel: Forward-Routing: IN=xenbr0 OUT=xenbr0 PHYSIN=peth1 PHYSOUT=vif0.0 SRC=192.168.0.3 DST=217.237.150.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35617 DF PROTO=UDP SPT=1060 DPT=53 LEN=40 how can I use routing with started xen-bridge? Every Computer at home has a fixed / hard IP-address (from the 192.168.0.x net) and only my internet-computer / gate...

...EN=84 TOS=0x00 PREC=0x00 TTL=64 ID=1 DF PROTO=ICMP TYPE=8 CODE=0 ID=50773 SEQ=256 When I try to access a website from the ipaq, here''s the only output in shorewall''s log (212.27.39.135 is a dns server) : Apr 2 21:38:06 bregalad kernel: Shorewall:bt2all:ACCEPT:IN=br0 OUT=eth1 PHYSIN=bnep0 SRC=192.168.0.10 DST=212.27.39.135 LEN=61 TOS=0x00 PREC=0x00 TTL=127 ID=11 PROTO=UDP SPT=1028 DPT=53 LEN=41 Here''s the result of some commands : # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127...

Could the problem be that the e100 can do IP receive checksumming on the board, but the eepro driver doesn't enable it. When the board is doing checksum offload, then the csum field isn't set. Please try disabling receive checksumming on the e100 driver modprobe e100 XsumRX=0 If this is the problem, it exists both 2.4 and 2.6. On Wed, 27 Aug 2003 18:24:57 +0200 Hannes Schulz