Ted Gervais
2003-Feb-27 15:23 UTC
[Shorewall-users] Unknown commments in shorewall status.
I wonder if someone can tell me what these ''unknown'' remarks
mean in my
status file. They are only in the last portion of the file and are listed
below. If they mean nothing, I will rest easy. But if not it means
I need to fix something. Your thoughts would be appreciated.
----------------
udp 17 92 src=24.224.173.220 dst=24.222.0.75 sport=1027 dport=53
src=24.222.0.75 dst=24.224.173.220 sport=53 dport=1027 [ASSURED] use=1
unknown 93 405 src=44.135.34.201 dst=44.135.34.4 src=44.135.34.4
dst=44.135.34.201 use=1
unknown 4 403 src=24.224.173.220 dst=62.238.66.67 src=62.238.66.67
dst=24.224.173.220 use=1
tcp 6 431986 ESTABLISHED src=192.168.0.147 dst=207.46.106.121
sport=1045 dport=1863 src=207.46.106.121 dst=24.224.173.220 sport=1863
dport=1045 [ASSURED] use=1
unknown 4 521 src=24.224.173.220 dst=24.138.74.225 src=24.138.74.225
dst=24.224.173.220 use=1
tcp 6 29 TIME_WAIT src=44.135.34.201 dst=44.135.85.56 sport=1558
dport=87 src=44.135.85.56 dst=44.135.34.201 sport=87 dport=1558 [ASSURED]
use=1
udp 17 23 src=24.222.230.1 dst=255.255.255.255 sport=67 dport=68
[UNREPLIED] src=255.255.255.255 dst=24.222.230.1 sport=68 dport=67 use=1
unknown 93 403 src=44.135.34.201 dst=44.137.28.48 src=44.137.28.48
dst=44.135.34.201 use=1
tcp 6 41 SYN_SENT src=44.135.34.201 dst=44.135.85.111 sport=1559
dport=87 [UNREPLIED] src=44.135.85.111 dst=44.135.34.201 sport=87
dport=1559 use=1
tcp 6 3 TIME_WAIT src=44.135.34.201 dst=44.135.85.30 sport=1557
dport=23 src=44.135.85.30 dst=44.135.34.201 sport=23 dport=1557 [ASSURED]
use=1
---
Ted Gervais
Coldbrook Nova Scotia
Canada B4R1A7
-------------- next part --------------
44.137.28.48 via 62.238.66.67 dev tunl0 proto static onlink
24.224.173.0/24 dev eth0 proto kernel scope link src 24.224.173.220
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
127.0.0.0/8 dev lo scope link
44.0.0.0/8 via 24.138.74.225 dev tunl0 proto static onlink
default via 24.224.173.1 dev eth0
-------------- next part --------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
44.137.28.48 62.238.66.67 255.255.255.255 UGH 0 0 0 tunl0
24.224.173.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
44.0.0.0 24.138.74.225 255.0.0.0 UG 0 0 0 tunl0
0.0.0.0 24.224.173.1 0.0.0.0 UG 0 0 0 eth0
-------------- next part --------------
[H[JShorewall-1.3.14 Status at linux.ve1drg.ampr.org - Thu Feb 27 19:10:53 AST
2003
Counters reset Wed Feb 26 20:50:34 AST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
310 15500 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
16820 7400K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
332 45305 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
3726 828K tunl_in all -- tunl+ * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
14786 14M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11823 1055K eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 tunl_fwd all -- tunl+ * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
310 15500 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
74 7159 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
20552 3257K fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
385 49101 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
6844 1655K fw2peers all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
391 49822 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (6 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
717 94406 common all -- * * 0.0.0.0/0 0.0.0.0/0
2 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
2 120 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
18 1580 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
1084 141K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
22 3531 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
24.224.173.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.0.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
14786 14M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
14786 14M net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2all all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
16820 7400K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
5143 1690K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
11677 5710K net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
11823 1055K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
11823 1055K loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
332 45305 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
332 45305 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
17224 2809K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
654 30108 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
36 2161 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
2637 416K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2peers (1 references)
pkts bytes target prot opt in out source destination
5641 1336K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
1203 319K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:20
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:24
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:139
332 45305 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
10656 998K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
20 805 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
1147 56984 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source destination
14786 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
154 19400 common all -- * * 0.0.0.0/0 0.0.0.0/0
154 19400 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
154 19400 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
11267 5633K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3 120 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:20
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:24
13 1158 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:137
238 56391 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:139
154 19400 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (8 references)
pkts bytes target prot opt in out source destination
677 31033 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain peers2fw (1 references)
pkts bytes target prot opt in out source destination
3664 824K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
62 4239 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
2 120 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain tunl_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
Chain tunl_in (1 references)
pkts bytes target prot opt in out source destination
3726 828K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
3726 828K peers2fw all -- * * 0.0.0.0/0 0.0.0.0/0
NAT Table
Chain PREROUTING (policy ACCEPT 2344 packets, 341K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 742 packets, 66163 bytes)
pkts bytes target prot opt in out source destination
1669 110K eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2172 packets, 195K bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
1120 55712 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 47797 packets, 24M bytes)
pkts bytes target prot opt in out source destination
47797 24M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 21188 packets, 8289K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 26609 packets, 15M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 28556 packets, 5034K bytes)
pkts bytes target prot opt in out source destination
28556 5034K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 53965 packets, 20M bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
3 180 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
245 33414 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
127 7563 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
125 6620 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
381 31616 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
93 7824 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
152 135K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
udp 17 92 src=24.224.173.220 dst=24.222.0.75 sport=1027 dport=53
src=24.222.0.75 dst=24.224.173.220 sport=53 dport=1027 [ASSURED] use=1
unknown 93 405 src=44.135.34.201 dst=44.135.34.4 src=44.135.34.4
dst=44.135.34.201 use=1
unknown 4 403 src=24.224.173.220 dst=62.238.66.67 src=62.238.66.67
dst=24.224.173.220 use=1
tcp 6 431986 ESTABLISHED src=192.168.0.147 dst=207.46.106.121 sport=1045
dport=1863 src=207.46.106.121 dst=24.224.173.220 sport=1863 dport=1045 [ASSURED]
use=1
unknown 4 521 src=24.224.173.220 dst=24.138.74.225 src=24.138.74.225
dst=24.224.173.220 use=1
tcp 6 29 TIME_WAIT src=44.135.34.201 dst=44.135.85.56 sport=1558 dport=87
src=44.135.85.56 dst=44.135.34.201 sport=87 dport=1558 [ASSURED] use=1
udp 17 23 src=24.222.230.1 dst=255.255.255.255 sport=67 dport=68
[UNREPLIED] src=255.255.255.255 dst=24.222.230.1 sport=68 dport=67 use=1
unknown 93 403 src=44.135.34.201 dst=44.137.28.48 src=44.137.28.48
dst=44.135.34.201 use=1
tcp 6 41 SYN_SENT src=44.135.34.201 dst=44.135.85.111 sport=1559 dport=87
[UNREPLIED] src=44.135.85.111 dst=44.135.34.201 sport=87 dport=1559 use=1
tcp 6 3 TIME_WAIT src=44.135.34.201 dst=44.135.85.30 sport=1557 dport=23
src=44.135.85.30 dst=44.135.34.201 sport=23 dport=1557 [ASSURED] use=1
-------------- next part --------------
Shorewall-1.3.14 Log at linux.ve1drg.ampr.org - Thu Feb 27 19:12:03 AST 2003
Counters reset Wed Feb 26 20:50:34 AST 2003
--On Thursday, February 27, 2003 07:20:42 PM -0400 Ted Gervais <ve1drg@av.eastlink.ca> wrote:> > I wonder if someone can tell me what these ''unknown'' remarks mean in my > status file. They are only in the last portion of the file and are listed > below. If they mean nothing, I will rest easy. But if not it means > I need to fix something. Your thoughts would be appreciated.They are simply protocols that iptables doesn''t know about; 4 (IPIP) and 93 (AX.25). They are harmless. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Thursday, February 27, 2003 03:26:36 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > They are simply protocols that iptables doesn''t know about; 4 (IPIP) and > 93 (AX.25). They are harmless. >Or more correctly, they are protocols that NetFilter doesn''t know about (being a user-space program, iptables could always use the /etc/protocols file). The connection tracking report is generated by "cat proc/net/ip_conntrack". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Ted Gervais
2003-Feb-27 15:52 UTC
[Shorewall-users] Unknown commments in shorewall status.
On Thu, 27 Feb 2003, Tom Eastep wrote: Thanks Tom. I was thinking it might have something to do with the protocol 93 stuff (ax25-axip) that we dealt with recently, and sure enough I guess it does. Thanks again for your thoughts..> > > --On Thursday, February 27, 2003 03:26:36 PM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > > > > > They are simply protocols that iptables doesn''t know about; 4 (IPIP) and > > 93 (AX.25). They are harmless. > > > > Or more correctly, they are protocols that NetFilter doesn''t know about > (being a user-space program, iptables could always use the /etc/protocols > file). The connection tracking report is generated by "cat > proc/net/ip_conntrack". > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >--- Ted Gervais Coldbrook Nova Scotia Canada B4R1A7