Shorewall users - Nov 2003 - IP Keeps being Dropped.

here''s a snippet from my /var/log/messages:


Nov  4 00:24:45 firewall kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=
MACSRC=80.143.227.136 DST=165.247.174.243 LEN=76 TOS=0x00 PREC=0x00 TTL=114
ID=41910 PROTO=UDP SPT=9940 DPT=9940 LEN=56
Nov  4 00:24:45 firewall kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=ppp0
SRC=10.0.0.2 DST=4.4.130.47 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=26091
PROTO=UDP SPT=9940 DPT=63225 LEN=56
Nov  4 00:24:49 firewall kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=ppp0
SRC=10.0.0.2 DST=4.4.130.47 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=43243
PROTO=UDP SPT=9940 DPT=63225 LEN=56
Nov  4 00:24:55 firewall kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=ppp0
SRC=10.0.0.2 DST=4.4.130.47 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=65515
PROTO=UDP SPT=9940 DPT=63225 LEN=56


heres my Relavant Rules/Policy


############################################################################
###
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              net             DROP            info
fw              loc             ACCEPT          -
loc             fw              ACCEPT          -
loc             net             DROP            debug
net             all             DROP            debug
all             all             DROP            info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

############################################################################
##
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#Ivisit---
ACCEPT  loc             net             udp	9940
ACCEPT  net             loc             udp              9940

--

I tried the above rules and it still drops that IP, Now if I set the POLICY
loc->net to ACCEPT, it establishes the connection and I can set it to set it
back to DROP.

It is a RH 7.2 w/ kernel 2.4.22.

The net is has 3 Win 98pc. The thing is every other IP from this (Ivisit
Videochat) connect with no problem. Any suggestions would be appreciated.

On Tue, 4 Nov 2003, Kevin Smith wrote:
> here''s a snippet from my /var/log/messages:
>
>
> Nov  4 00:24:45 firewall kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=
MAC> SRC=80.143.227.136 DST=165.247.174.243 LEN=76 TOS=0x00 PREC=0x00 TTL=114
> ID=41910 PROTO=UDP SPT=9940 DPT=9940 LEN=56
> Nov  4 00:24:45 firewall kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=ppp0
> SRC=10.0.0.2 DST=4.4.130.47 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=26091
> PROTO=UDP SPT=9940 DPT=63225 LEN=56
> Nov  4 00:24:49 firewall kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=ppp0
> SRC=10.0.0.2 DST=4.4.130.47 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=43243
> PROTO=UDP SPT=9940 DPT=63225 LEN=56
> Nov  4 00:24:55 firewall kernel: Shorewall:loc2net:DROP:IN=eth0 OUT=ppp0
> SRC=10.0.0.2 DST=4.4.130.47 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=65515
> PROTO=UDP SPT=9940 DPT=63225 LEN=56
>
>
> heres my Relavant Rules/Policy
>
>
>
############################################################################
> ###
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> fw              net             DROP            info
> fw              loc             ACCEPT          -
> loc             fw              ACCEPT          -
> loc             net             DROP            debug
So you DID change the default loc->net ACCEPT policy.
> net             all             DROP            debug
> all             all             DROP            info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>
############################################################################
> ##
> #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
> #Ivisit---
> ACCEPT  loc             net             udp	9940
> ACCEPT  net             loc             udp              9940
>
Keven -- a loc->net policy other than ACCEPT should only be attempted by
people who know what they are doing.

a) The messages being dropped in the loc2net chain have a SOURCE port of
9940.

b) The loc->net rule you have specified above has DESTINATION port 9940.

c) The second rule above also has destination port 9940; to specify a
source port but no destination port, you must place "-" in the
destination
port column.

d) Since you are masquerading, ACCEPT rules won''t work from
net->loc; see
FAQ #30

e) In my previous post on this thread, I gave you the rules that you need
to solve your problem. Please either use those or do as 99% of other
Shorewall users (including me) and leave the loc->net ACCEPT policy in
place.

-Tom

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net