Shorewall users - Oct 2003 - Tons of drops packets in the logs....

Hi,
I a lot of the users that access my site have been having problems
accessing it since I installed shorewall.  They keep getting an error
that the page can not be displayed.  My system logs are flooded every
day with lines like this...

Oct  1 21:37:33 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=168.243.243.52
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=521 DF PROTO=TCP
SPT=1066 DPT=80 WINDOW=8576 RES=0x00 ACK URGP=0 
Oct  1 21:37:34 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=168.243.243.52
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=2569 DF PROTO=TCP
SPT=1066 DPT=80 WINDOW=8576 RES=0x00 ACK URGP=0 
Oct  1 21:37:40 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=168.243.243.52
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=14858 DF
PROTO=TCP SPT=1066 DPT=80 WINDOW=8576 RES=0x00 ACK URGP=0 
Oct  1 21:37:41 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=168.243.243.52
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=16650 DF
PROTO=TCP SPT=1066 DPT=80 WINDOW=8576 RES=0x00 ACK URGP=0 
Oct  1 21:51:07 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=200.70.151.150
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=3088 PROTO=TCP
SPT=1170 DPT=80 WINDOW=0 RES=0x00 ACK URGP=0
Oct  1 21:51:14 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=200.70.151.150
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=3130 PROTO=TCP
SPT=1170 DPT=80 WINDOW=0 RES=0x00 ACK URGP=0 
Oct  1 21:51:28 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=200.70.151.150
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=3181 PROTO=TCP
SPT=1170 DPT=80 WINDOW=0 RES=0x00 ACK URGP=0 
Oct  1 21:51:40 server kernel: Shorewall:logdrop:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=201.128.225.180
DST=66.135.33.138 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=41790 DF
PROTO=TCP SPT=64495 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct  1 21:51:43 server kernel: Shorewall:logdrop:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=201.128.225.180
DST=66.135.33.138 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=41792 DF
PROTO=TCP SPT=64495 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct  1 21:51:49 server kernel: Shorewall:logdrop:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=201.128.225.180
DST=66.135.33.138 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=41793 DF
PROTO=TCP SPT=64495 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct  1 21:51:56 server kernel: Shorewall:logpkt:DROP:IN=eth0
OUTMAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=200.70.151.150
DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=3315 PROTO=TCP
SPT=1170 DPT=80 WINDOW=0 RES=0x00 ACK URGP=0

As you can see, the source MAC is the same, but the IPs are different.
I don''t understand this.  

My interfaces file looks like this:
Net	eth0	detect	norfc1918,routefilter,logunclean


I have tried setting NEWNOTSYN=Yes in the shorewall.conf file, but that
didn''t help either.  Could you guys please advice on what the log lines
above mean, and how to reenable the access?  I''m kind of new to this
firewall deal.  I added a temporary rule to accept all traffic on port
80 from the source MAC, but I don''t think that''s safe.

Thanks in advance
Dennys

On Wed, 1 Oct 2003, Dennys Perez wrote:
> Oct  1 21:51:56 server kernel: Shorewall:logpkt:DROP:IN=eth0 OUT>
MAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=200.70.151.150
> DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=3315 PROTO=TCP
> SPT=1170 DPT=80 WINDOW=0 RES=0x00 ACK URGP=0
>
> As you can see, the source MAC is the same, but the IPs are different.
> I don''t understand this.
>
> My interfaces file looks like this:
> Net	eth0	detect	norfc1918,routefilter,logunclean
>
>
> I have tried setting NEWNOTSYN=Yes in the shorewall.conf file, but that
> didn''t help either.
That couldn''t possibly help. Packets rejected under NEWNOTSYN=No are
rejected out of the ''newnotsyn'' chain (see FAQ 17) while the
dozens of
message you chose to include in your post are being logged from the
''logpkt'' chain (caused by the ''logunclean''
interface) or the ''logdrop''
chain (rfc1918 interface option). Again, you should refer to FAQ 17.
> Could you guys please advice on what the log lines
> above mean, and how to reenable the access?
One more time -- see FAQ 17.
> I''m kind of new to this firewall deal. I added a temporary rule to
> accept all traffic on port 80 from the source MAC, but I don''t
think
> that''s safe.
CLUE: The source MAC for traffic arriving on your internet interface will
be the MAC of your ISP''s external router interface
99.99999999999999999999999999% of the time.

Solution -- your /etc/shorewall/rfc1918 file is hopelessly out of date
because it includes 200.0.0.0/8; that network matches the source address
in the packet logged above.

Upgrade to a current version of Shorewall (200.0.0.0/8 was removed from
the rfc1918 file in April - Shorewall version 1.4.3) or download the
current version of the rfc1918 from the STABLE thread in CVS (see the
Shorewall home page -- there is a CVS link in the left-hand frame).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 1 Oct 2003, Dennys Perez wrote:
>
> Oct  1 21:37:33 server kernel: Shorewall:logpkt:DROP:IN=eth0 OUT>
MAC=00:40:ca:31:e8:5d:00:0a:f4:02:51:80:08:00 SRC=168.243.243.52
> DST=66.135.33.138 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=521 DF PROTO=TCP
> SPT=1066 DPT=80 WINDOW=8576 RES=0x00 ACK URGP=0
>
The above message is misleading since it reflects a disposition of DROP --
it should really indicate a disposition of LOG. I''ve included a fix for
1.4.7.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>Solution -- your /etc/shorewall/rfc1918 file is hopelessly out of date
>because it includes 200.0.0.0/8; that network matches the source
address
>in the packet logged above.
>Upgrade to a current version of Shorewall (200.0.0.0/8 was removed from
>the rfc1918 file in April - Shorewall version 1.4.3) or download the
>current version of the rfc1918 from the STABLE thread in CVS (see the
>Shorewall home page -- there is a CVS link in the left-hand frame).
Thanks for the advice, however, I am running Shorewall 1.4.6b which does
not include 200.0.0.0/8 in the rfc1918 file as you stated.
The packets being dropped under ''logdrop'' are from the
201.0.0.0 subnet,
which is currently listed as reserved for Central & South America, so if
I want to enable this subnet, I can just comment it out?  

Also, are the packets logged under ''logpkt'' being dropped or
only
logged?  According to the FAQ 17, the logunclean option is supposed to
log only and not drop unclean packets.

Thanks
Dennys

On Wed, 2003-10-01 at 22:07, Dennys Perez wrote:
> 
> Thanks for the advice, however, I am running Shorewall 1.4.6b which does
> not include 200.0.0.0/8 in the rfc1918 file as you stated.
> The packets being dropped under ''logdrop'' are from the
201.0.0.0 subnet,
> which is currently listed as reserved for Central & South America, so
if
> I want to enable this subnet, I can just comment it out?  
Yes. And my apologies; I misread the log messages.
> 
> Also, are the packets logged under ''logpkt'' being dropped
or only
> logged?  According to the FAQ 17, the logunclean option is supposed to
> log only and not drop unclean packets.
> 
As I mentioned in my second post to this thread last night, logunclean
causes packets to simply be logged although the message incorrectly
indicates that they are dropped.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net