Nerijus Baliunas wrote:> Hello,
>
> I have shorewall-1.3.9b-1 on RH 8.0.
>
> /etc/shorewall/policy:
>
> loc net ACCEPT
> $FW net ACCEPT
> net all DROP info
> all all REJECT info
>
> I get a lot of rejected packets:
>
> Oct 26 19:07:17 avalon kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=192.168.0.1 DST=192.168.0.2
> LEN=88 TOS=0x08 PREC=0xC0 TTL=64 ID=48775 PROTO=ICMP TYPE=11 CODE=0
[SRC=192.168.0.2 DST=212.59.0.1
> LEN=60 TOS=0x08 PREC=0x00 TTL=1 ID=14867 DF PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=47620 ]
>
> They repeat every 10 seconds.
>
> eth0 is local interface (loc), firewall IP is 192.168.0.1,
> 192.168.0.2 is some PC on local LAN, 212.59.0.1 is my ISP''s
> DNS server. What are these packets?
>
Whatever happened here, the bug is at the other and not at your end. It
appears that 192.168.0.2 pinged 212.59.0.1 which is actually the IP
address of a NAT gateway. The NAT gateway rewrote the destination IP to
192.168.0.1 but then decided to return the rather unusual ICMP 11. When it
did so, it neglected to rewrite the source in the ICMP to 212.59.0.1 so
connection tracking on your firewall didn''t recognize it as being
associated with the original ''ping'' and it was rejected. You
can add a
DROP icmp 11 rule to /etc/shorewall/icmpdef if you want to silently drop
these.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net