Shorewall users - Oct 2003 - Re: Problems with rules since upgrading to 1.4.7b

On Tue, 2003-10-28 at 13:41, AdStar wrote:
> Hi Tom,
> 
> I''ve upgraded my firewall to 1.4.7c (and copied the
firewall/functions from
> the CVS over for the accounting names)
> 
> I still get this reject in my logs.
> Oct 29 08:35:08 pyro Shorewall:FORWARD:REJECT: IN=eth1 OUT=eth1
> MAC=00:02:b3:61:64:6e:00:02:b3:5f:c3:5c:08:00  SRC=10.0.100.11
DST=10.0.100.10
> LEN=61 TOS=00 PREC=0x00 TTL=127 ID=53524 PROTO=UDP SPT=4154 DPT=53 LEN=41
> Oct 29 08:35:57 pyro Shorewall:FORWARD:REJECT: IN=eth1 OUT=eth1
> MAC=00:02:b3:61:64:6e:00:02:b3:5f:c3:5c:08:00  SRC=10.0.100.11
DST=10.0.100.10
> LEN=61 TOS=00 PREC=0x00 TTL=127 ID=54621 PROTO=UDP SPT=4169 DPT=53 LEN=41
> 
> I do have the following norfc1918 in my eth0 interface
> net      eth0           detect          routefilter,norfc1918
> loc      eth1           detect
> 
> eth0 has multiple "live" IP''s.
> eth1 has a single IP: 10.0.100.1
> my primary DNS server is int:10.0.100.10  ext: 67.106.134.140
> my secondary DNS server is int:10.0.100.11 ext: 67.106.134.141
> 
> my rules again FYI:
> DNAT loc:10.0.100.0/24 loc:10.0.100.10 tcp 53 -      
> 67.106.134.140:10.0.100.1
> DNAT loc:10.0.100.0/24 loc:10.0.100.10 udp 53 -      
> 67.106.134.140:10.0.100.1
> DNAT loc:10.0.100.0/24 loc:10.0.100.11 tcp 53 -      
> 67.106.134.141:10.0.100.1
> DNAT loc:10.0.100.0/24 loc:10.0.100.11 udp 53 -      
> 67.106.134.141:10.0.100.1
> 
You didn''t mention which version of Shorewall you upgraded from when
you
moved to 1.4.7b but what you have above wouldn''t have worked with any
recent version of Shorewall without the "routeback" option being
specified for eth1 in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net