Hi, I am running sw 1.3.5a with somewhat unusual configuration. I can send my conf files if anyone asks but without it I dont want to get into it. Anyway, I just build this box (it never worked yet) with BIND 9.2.1. My rules file has this line so it can talk to master/slave server: ACCEPT $FW nete tcp 53 ACCEPT $FW nete udp 53 ACCEPT nete $FW tcp 53 ACCEPT nete $FW udp 53 But this does not control the OUTPUT chain if I understand it right (this is all2all, no?), but I am getting: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=65.211.35.254 DST=209.123.31.130 LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=116 65.211.35.254 is the primary IP on eth0 209.123.31.130 is my other DNS server. Could you please tell me where can I control this chain. Thank you very much, Val _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
On Wed, 31 Jul 2002, Val Vechnyak wrote:> Hi, > > I am running sw 1.3.5a with somewhat unusual configuration. I can send my > conf files if anyone asks but without it I dont want to get into it. > > Anyway, I just build this box (it never worked yet) with BIND 9.2.1. > > My rules file has this line so it can talk to master/slave server: > > ACCEPT $FW nete tcp 53 > ACCEPT $FW nete udp 53 > ACCEPT nete $FW tcp 53 > ACCEPT nete $FW udp 53 > > But this does not control the OUTPUT chain if I understand it right (this is > all2all, no?), but I am getting: > > Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=65.211.35.254 DST=209.123.31.130 > LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=116 > > 65.211.35.254 is the primary IP on eth0 > 209.123.31.130 is my other DNS server. >This looks like your definition of the nete zone is wrong. Are you using the /etc/shorewall/hosts file? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi, I am running sw 1.3.5a with somewhat unusual configuration. I can send my conf files if anyone asks but without it I dont want to get into it. Anyway, I just build this box (it never worked yet) with BIND 9.2.1. My rules file has this line so it can talk to master/slave server: ACCEPT $FW nete tcp 53 ACCEPT $FW nete udp 53 ACCEPT nete $FW tcp 53 ACCEPT nete $FW udp 53 But this does not control the OUTPUT chain if I understand it right (this is all2all, no?), but I am getting: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=65.211.35.254 DST=209.123.31.130 LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=116 65.211.35.254 is the primary IP on eth0 209.123.31.130 is my other DNS server. Could you please tell me where can I control this chain. Thank you very much, Val _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Ummm, yes I am. It looks like this: nete eth0:65.211.35.128/25 neta eth0:65.213.121.0/25 VV>From: Tom Eastep <teastep@shorewall.net> >To: Val Vechnyak <vechnyak@hotmail.com> >CC: "shorewall-users@shorewall.net" <shorewall-users@shorewall.net> >Subject: Re: [Shorewall-users] OUTPUT:REJECT messages >Date: Wed, 31 Jul 2002 16:27:47 -0700 (PDT) > >On Wed, 31 Jul 2002, Val Vechnyak wrote: > > > Hi, > > > > I am running sw 1.3.5a with somewhat unusual configuration. I can send >my > > conf files if anyone asks but without it I dont want to get into it. > > > > Anyway, I just build this box (it never worked yet) with BIND 9.2.1. > > > > My rules file has this line so it can talk to master/slave server: > > > > ACCEPT $FW nete tcp 53 > > ACCEPT $FW nete udp 53 > > ACCEPT nete $FW tcp 53 > > ACCEPT nete $FW udp 53 > > > > But this does not control the OUTPUT chain if I understand it right >(this is > > all2all, no?), but I am getting: > > > > Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=65.211.35.254 >DST=209.123.31.130 > > LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 >LEN=116 > > > > 65.211.35.254 is the primary IP on eth0 > > 209.123.31.130 is my other DNS server. > > > >This looks like your definition of the nete zone is wrong. Are you using >the /etc/shorewall/hosts file? > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-use_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
On Thu, 1 Aug 2002, Val Vechnyak wrote:> Ummm, yes I am. It looks like this: > > nete eth0:65.211.35.128/25 > neta eth0:65.213.121.0/25 >Well, I don''t know what you are trying to accomplish here but 209.123.31.130 isn''t in either of those zones so any rules that you have for either zone won''t affect traffic to/from that system. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, neta is just another subnet that I have comming down the same T3 pipe. I just need to accept traffic for it too. I hope this is not where my problem is. 209.123.31.130 is a completely remote server, which my DNS is trying to talk to. I dont think my problem is in the rules file. What condition (if this is the right term) does this OUTPUT chain have? I guess it is rejecting it because it is not finding the proper way to handle this request. Where do I make the changes to how this request is handled? Val>From: Tom Eastep <teastep@shorewall.net> >To: Val Vechnyak <vechnyak@hotmail.com> >CC: "shorewall-users@shorewall.net" <shorewall-users@shorewall.net> >Subject: Re: [Shorewall-users] OUTPUT:REJECT messages >Date: Wed, 31 Jul 2002 17:05:14 -0700 (PDT) > >On Thu, 1 Aug 2002, Val Vechnyak wrote: > > > Ummm, yes I am. It looks like this: > > > > nete eth0:65.211.35.128/25 > > neta eth0:65.213.121.0/25 > > > >Well, I don''t know what you are trying to accomplish here but >209.123.31.130 isn''t in either of those zones so any rules that you have >for either zone won''t affect traffic to/from that system. > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net >_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
On Thu, 1 Aug 2002, Val Vechnyak wrote:> Tom, > > neta is just another subnet that I have comming down the same T3 pipe. I > just need to accept traffic for it too. I hope this is not where my problem > is. > > 209.123.31.130 is a completely remote server, which my DNS is trying to talk > to. I dont think my problem is in the rules file. > > What condition (if this is the right term) does this OUTPUT chain have? > I guess it is rejecting it because it is not finding the proper way to > handle this request. Where do I make the changes to how this request is > handled? >Any traffic where the source is $FW will go out the OUTPUT chain. Your problem is that you defined the "internet" to be exactly two subnets -- neta and nete. As the documentation for the /etc/shorewall/hosts file says: "90% of Shorewall users don''t need to use this file and of those who do, 80% of those get it wrong" You are among those 80%. - Get rid of the /etc/shorewall/hosts entries - Replace neta and nete by ''net'' - Change your rules accordingly -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net