Hi, I am getting occasional rejected packets like so: Jul 31 09:52:03 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth0 SRC=192.168.10.91 DST=132.147.22.6 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=55364 DF PROTO=TCP SPT=1147 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0 Jul 31 09:52:46 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth0 SRC=192.168.10.26 DST=10.9.100.30 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=50630 DF PROTO=TCP SPT=2543 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0 eth0 is a connection out to a bunch of private IPs and eth2 is my local LAN address. So people are telnetting and FTPing out to the networks on eth0 and every so often a packet is rejected. Does anyone know what that is? If you would like more detailed info I am happy to post it, however the fact that the connection works, but drops the odd packet seems the most worrying. The connections work and the user doesn''t seem to notice anything, as it like 1 packet in thousands, but I am a bit concerned there is some kind of inconsistency here. thanks dave
On 31 Jul 2003 09:53:14 +1000, Dave Kempe <david@solutionsfirst.com.au> wrote:> > Jul 31 09:52:03 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 > OUT=eth0 SRC=192.168.10.91 DST=132.147.22.6 LEN=48 TOS=0x00 PREC=0x00 > TTL=127 ID=55364 DF PROTO=TCP SPT=1147 DPT=23 WINDOW=16384 RES=0x00 SYN > URGP=0 > > Jul 31 09:52:46 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 > OUT=eth0 SRC=192.168.10.26 DST=10.9.100.30 LEN=48 TOS=0x00 PREC=0x00 > TTL=127 ID=50630 DF PROTO=TCP SPT=2543 DPT=21 WINDOW=16384 RES=0x00 SYN > URGP=0 > > The connections work and the user doesn''t seem to notice anything, as it > like 1 packet in thousands, but I am a bit concerned there is some kind > of inconsistency here. >Did you restart your firewall at around 9:52 this morning? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Yeah I restarted it a bit before those logs. Does that make a difference? Is it something to do with SYN packets? dave On Thu, 2003-07-31 at 09:58, Tom Eastep wrote:> Did you restart your firewall at around 9:52 this morning? > > -Tom
On 31 Jul 2003 10:22:42 +1000, Dave Kempe <david@solutionsfirst.com.au> wrote:> Yeah I restarted it a bit before those logs. > Does that make a difference? > Is it something to do with SYN packets?The point is that you can get these messages when people try to connect during a "shorewall restart". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
well, the last restart was at 9.32 and I have another log here: Jul 31 10:33:54 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth0 SRC=192.168.10.37 DST=132.147.22.6 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14149 DF PROTO=TCP SPT=1147 DPT=23 WINDOW=16384 RES=0x00 SYN URGP=0 I guess something is falling through the rulse and hitting the all2all chain. Again, its only the odd packet dave On Thu, 2003-07-31 at 10:26, Tom Eastep wrote:> The point is that you can get these messages when people try to connect > during a "shorewall restart".
On 31 Jul 2003 10:36:18 +1000, Dave Kempe <david@solutionsfirst.com.au> wrote:> well, the last restart was at 9.32 and I have another log here: > > Jul 31 10:33:54 firewall kernel: Shorewall:all2all:REJECT:IN=eth2 > OUT=eth0 SRC=192.168.10.37 DST=132.147.22.6 LEN=48 TOS=0x00 PREC=0x00 > TTL=127 ID=14149 DF PROTO=TCP SPT=1147 DPT=23 WINDOW=16384 RES=0x00 SYN > URGP=0 > > I guess something is falling through the rulse and hitting the all2all > chain. Again, its only the odd packetYou don''t have more than one interface connected to the same hub/switch do you? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
That''d be it. I think I need a cross over cable :) thanks, dave On Thu, 2003-07-31 at 10:39, Tom Eastep wrote:> You don''t have more than one interface connected to the same hub/switch do > you?
On 31 Jul 2003 10:46:15 +1000, Dave Kempe <david@solutionsfirst.com.au> wrote:> On Thu, 2003-07-31 at 10:39, Tom Eastep wrote: >> You don''t have more than one interface connected to the same hub/switch >> do you? > > That''d be it.All of the multi-interface QuickStart guides AND the troubleshooting guide tell you not to do that. Please tell me where I can document this so that people will read it.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, thanks heaps for a great product and your very quick response. I was upgrading the firewall software on this machine and had forgotten that it had that configuration. Its not a big deal as eth2 is only used for very occasional access and only has 1 machine out that interface. Its an old server soon to be phased out so the odd stray packet doesn''t matter to much. thanks again for your help, dave On Thu, 2003-07-31 at 10:54, Tom Eastep wrote:> All of the multi-interface QuickStart guides AND the troubleshooting guide > tell you not to do that. Please tell me where I can document this so that > people will read it....
On 01 Aug 2003 11:32:18 +1000, Dave Kempe <david@solutionsfirst.com.au> wrote:> thanks again for your help,You''re most welcome. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net