Shorewall users - May 2003 - What are these messages telling me?

(firewall: 192.168.1.231 )
In this instance Im trying to send mail from my mailserver (192.168.1.211)

May 13 02:51:56 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.231 DST=192.168.1.211 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=41790
PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.211 DST=65.54.166.99 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=50958 DF PROTO=TCP SPT=32796 DPT=25 WINDOW=5840 RES=0x00 SYN
URGP=0 ]
May 13 02:52:02 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.231 DST=192.168.1.211 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=41791
PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.211 DST=65.54.166.99 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=50959 DF PROTO=TCP SPT=32796 DPT=25 WINDOW=5840 RES=0x00 SYN
URGP=0 ]


In this case Im trying to use lynx to connect to mandrake.com from 192.168.1.211

May 13 03:02:57 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.231 DST=192.168.1.211 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=41801
PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.211 DST=63.209.80.245 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=14522 DF PROTO=TCP SPT=32807 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0 ]
May 13 03:03:00 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=192.168.1.231 DST=192.168.1.211 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=41802
PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.211 DST=63.209.80.245 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=14523 DF PROTO=TCP SPT=32807 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0 ]

1 - Ive looked at all the routing information I can find - and I don''t
see where I would be routing eth1 back into eth1
2 - what is the secondary message in the []?
3 - could I be doing something wrong with the cabling into the switch on the loc
domain?


Here is my shorewall/rules file:

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  ORIGINAL
#                                                       PORT    PORT(S) DEST
#
#       Accept DNS connections from the firewall to the Internet
#
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
#
#
#       Accept SSH connections from the local network to the firewall and DMZ
#
ACCEPT          loc             fw              tcp     22
ACCEPT          loc             dmz             tcp     22
#
#       DMZ DNS access to the Internet
#
ACCEPT          dmz             net             tcp     53
ACCEPT          dmz             net             udp     53
#
#       Make ping work bi-directionally between the dmz, net, Firewall and local
zone
#       (assumes that the loc-> net policy is ACCEPT).
#
ACCEPT          net             fw              icmp    8
ACCEPT          loc             fw              icmp    8
ACCEPT          dmz             fw              icmp    8
ACCEPT          loc             dmz             icmp    8
ACCEPT          dmz             loc             icmp    8
ACCEPT          dmz             net             icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              dmz             icmp    8
ACCEPT          net             dmz             icmp    8       # Only with
Proxy ARP and
############################
#  my mods start here
############################

# SMTP
DNAT            net     loc:192.168.1.211       tcp     25      -
ACCEPT          loc     net                     tcp     25      -
ACCEPT          loc     net                     icmp    25

# NTP
ACCEPT          loc     net     udp     123
ACCEPT          net     loc     udp     123

# web viewing
ACCEPT          loc     net     tcp     80
ACCEPT          loc     net     tcp     443

# http to the firewall
ACCEPT          loc     fw      tcp     80

# webmin
ACCEPT          loc     fw      tcp     10000

# DNS (cont''d)
ACCEPT          loc     net     tcp     53
ACCEPT          loc     net     udp     53

# DNS (to run a NS on the FW)
ACCEPT          loc     fw      tcp     53
ACCEPT          loc     fw      udp     53


# NIS
ACCEPT          fw      loc     udp     975
ACCEPT          fw      loc     tcp     978

# ?? what is this port for ?? shows up in syslog
ACCEPT          fw      loc     udp     111
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

On Tue, 13 May 2003 09:21:59 -0700, jony <jony@lupinesystems.net> wrote:

>
> 1 - Ive looked at all the routing information I can find - and I
don''t
> see where I would be routing eth1 back into eth1
> 2 - what is the secondary message in the []?
> 3 - could I be doing something wrong with the cabling into the switch on 
> the loc domain?
>
Please post the output of "route -n" and the contents of your 
/etc/shorewall/interfaces file.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 13 May 2003 09:51:50 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Tue, 13 May 2003 09:21:59 -0700, jony <jony@lupinesystems.net>
wrote:
>
>
>>
>> 1 - Ive looked at all the routing information I can find - and I
don''t
>> see where I would be routing eth1 back into eth1
>> 2 - what is the secondary message in the []?
>> 3 - could I be doing something wrong with the cabling into the switch
on
>> the loc domain?
>>
>
> Please post the output of "route -n" and the contents of your 
> /etc/shorewall/interfaces file.
Also please include the output from "arp -a"

Thanks,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

May 20 10:09:47 graendal kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=
MAC=00:10:5a:a9:e0:e0:00:d0:a8:00:7e:21:08:00 SRC=192.168.100.2
DST=192.168.1.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32772
DPT=7741 LEN=24
May 20 10:30:49 graendal kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:d0:a8:00:9c:2d:08:00 SRC=192.168.100.10
DST=192.168.100.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32772
DPT=7741 LEN=24

Both are directed at the .255 address for the subnet (in my DMZ) to port 7741. I
recently moved my email server into the DMZ but am having
problems getting it networked properly. When I reboot it isn''t setting
the default gateway properly (in fact, its clearing it altogether) which might
explain why its trying to send this odd packet to 192.168.1.255 instead of
192.168.100.255 like the other machine.


What is happening at port 7741 and why would the server be sending to
xx.xx.xx.255 at this port?

On Tue, 20 May 2003, jony wrote:
> May 20 10:09:47 graendal kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=
MAC=00:10:5a:a9:e0:e0:00:d0:a8:00:7e:21:08:00 SRC=192.168.100.2
DST=192.168.1.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32772
DPT=7741 LEN=24
> May 20 10:30:49 graendal kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:d0:a8:00:9c:2d:08:00 SRC=192.168.100.10
DST=192.168.100.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32772
DPT=7741 LEN=24
> 
> Both are directed at the .255 address for the subnet (in my DMZ) to port
> 7741. I recently moved my email server into the DMZ but am having
> problems getting it networked properly. When I reboot it isn''t
setting
> the default gateway properly (in fact, its clearing it altogether) which
> might explain why its trying to send this odd packet to 192.168.1.255
> instead of 192.168.100.255 like the other machine.
> 
You need to update the broadcast address for eth2 in 
/etc/shorewall/interfaces (or if ''detect'' is specified, you
need to
refresh shorewall).
> 
> What is happening at port 7741 and why would the server be sending to 
xx.xx.xx.255 at this port?

''netstat -unap'' on the server may help locate the culprit.

FWIW, 7741 isn''t an IETF-registered port and doesn''t show up
on the
Simovitz list (which is somewhat out of date).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net