Costantino Balletta
2003-Apr-30 17:33 UTC
[Shorewall-users] Shorewall script starts before ppp0 is up
Following your suggestion I move to the mailing list. Please let me know whether there is something I can do to let you have a better picture and understand what is going on. Costantino Balletta
> Following your suggestion I move to the mailing list. > > Please let me know whether there is something I can do to let you have > a better picture and understand what is going on.Did I miss something? What you can do to let us have a better picture is asking a question and providing us with some info... ;-) Just a quick guess from the subject: Change the starting number of the init script: /etc/rc.d/rc[2345].d/S25shorewall YMMV, HTH karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
Tom Eastep
2003-Apr-30 18:29 UTC
[Shorewall-users] Shorewall script starts before ppp0 is up
On Thu, 1 May 2003 02:32:45 +0200, Costantino Balletta <costantino.balletta@wanadoo.fr> wrote:> Following your suggestion I move to the mailing list. > > Please let me know whether there is something I can do to let you have a > better picture and understand what is going on. >Contantino -- Let me draw you a picture. The entire DeveloperCube site has 84 members, of which only a few have any interest in Shorewall. Consequently, I end up having to do all of the question answering there. That is why I ask that the forum be limited to quick "howto" and "where do I find" questions. On this mailing list, there are over 600 Shorewall Users, many of which have been using Shorewall since version 1.0. That means that there is a good chance that someone here has seen a problem similar to yours. So when I ask people to move their topic here to the mailing list, it is so other folks can help out and you can get your problem solved sooner. But for them to help out, you need to tell them what your problem/question is. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Michael Mansour
2003-Apr-30 22:32 UTC
[Shorewall-users] Shorewall script starts before ppp0 is up
What''s the problem Costantino?>From the subject header, it seems simple enough.Michael. --- Costantino Balletta <costantino.balletta@wanadoo.fr> wrote:> Following your suggestion I move to the mailing > list. > > Please let me know whether there is something I can > do to let you have > a better picture and understand what is going on. > > Costantino Balletta > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Hello, I have been going through my logs lately, and I have noticed a few of these sporadically: Apr 30 19:05:32 carter kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=216.211.130.20 DST=144.132.209.54 LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=20 DPT=1076 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 I have no idea what these are caused by. I know that port 20 is the FTP data port, but I do not understand why such rejects are occuring, as far as I know any SPT=20 traffic my server generates should be tracked and handled without rejection. This is from the log of a web/ftp server running shorewall locally. Any ideas? Alex Martin Rett Consulting http://www.rettc.com
Hi Alex, On Wed, 30 Apr 2003 23:35:06 -0700, Alex Martin <shorewall@rettc.com> wrote:> Hello, > > I have been going through my logs lately, and I have noticed a few of > these > sporadically: > > Apr 30 19:05:32 carter kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=216.211.130.20 DST=144.132.209.54 LEN=60 TOS=0x08 PREC=0x00 TTL=64 > ID=0 > DF PROTO=TCP SPT=20 DPT=1076 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 > > I have no idea what these are caused by. I know that port 20 is the FTP > data > port, but I do not understand why such rejects are occuring, as far as I > know any SPT=20 traffic my server generates should be tracked and handled > without rejection. >I have seen these too and have conjectured that there is a bug in the FTP connection tracking code that doesn''t show up very often and that is probably triggered by a particular FTP client. I run an FTP server in my DMZ and to compensate for this anomaly, I have this rule: ACCEPT:$LOG dmz net tcp 1024: 20 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net