Ok, everything seems to work fine... Was making some changes to me
netwrok layout, so II was watching the logs for errors... Running
shorewall 1.3.11 (I know it''s old, but I haven''t needed any of
the new
features) on a Bering 1.0 firewall.. Here''s the error I saw:
Jul 17 16:21:39 firewall kernel: Shorewall:all2all:REJECT:IN=eth2
OUTMAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1
DST=64.216.105.3 LEN=82 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=56260 DPT=53 LEN=62
Here''s the pertinant part of my rules:
ACCEPT dmz:192.168.2.1 net udp domain
ACCEPT dmz:192.168.2.1 net tcp domain
ACCEPT dmz:192.168.2.1 net udp - domain
ACCEPT dmz:192.168.2.1 net tcp - domain
Shouldn''t those rules cover it?
---
Homer Parker /"\ ASCII Ribbon Campaign
\ / No HTML/RTF in email
http://www.homershut.net x No Word docs in email
telnet://bbs.homershut.net / \ Respect for open standards
"Bill Gates reports on security progress made and the challenges
ahead."
-- Microsoft''s Homepage, on the day an SQL Server bug crippled large
sections of the Internet.
On Thu, 17 Jul 2003 16:40:57 -0500 Homer Parker <hparker@homershut.net> wrote....> Jul 17 16:21:39 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT> MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > DST=64.216.105.3 LEN=82 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=56260 DPT=53 LEN=62Nevermind... I''ve been out in the sun tooo long today... 64.216.105.3 is my IP... Sorry for the noise.. --- Homer Parker /"\ ASCII Ribbon Campaign \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net / \ Respect for open standards "Bill Gates reports on security progress made and the challenges ahead." -- Microsoft''s Homepage, on the day an SQL Server bug crippled large sections of the Internet.
On Thu, 2003-07-17 at 14:40, Homer Parker wrote:> Ok, everything seems to work fine... Was making some changes to me > netwrok layout, so II was watching the logs for errors... Running > shorewall 1.3.11 (I know it''s old, but I haven''t needed any of the new > features) on a Bering 1.0 firewall.. Here''s the error I saw: > > Jul 17 16:21:39 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT> MAC=00:60:08:3e:85:bd:00:90:27:1d:63:71:08:00 SRC=192.168.2.1 > DST=64.216.105.3 LEN=82 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP > SPT=56260 DPT=53 LEN=62 > > Here''s the pertinant part of my rules: > > ACCEPT dmz:192.168.2.1 net udp domain > ACCEPT dmz:192.168.2.1 net tcp domain > ACCEPT dmz:192.168.2.1 net udp - domain > ACCEPT dmz:192.168.2.1 net tcp - domain > > Shouldn''t those rules cover it?How can we tell given that we haven''t a clue which interface goes to which zone? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-07-17 at 14:53, Homer Parker wrote:> > As I replied to myself, 64.216.105.3 is my IP... Tooo much sun today > (it''s like 110 out there! :( )... Thanks for the quick reply, sorry for > the noise :( >No problem -- I should have pointed out in my original reply that the packet was destined for the firewall rather than for the ''net'' zone and I can''t even blame the heat (< 80 F here today). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net