I''ve tried reading the documention on the Shorewall site, but I still have some questions about what I''m seeing in my logs. Can anyone help with my three questions below? -- DAvid **INTERFACES** #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter ppp ppp+ - routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE **ZONES** #ZONE DISPLAY COMMENTS net Net Internet ppp PPP dialin users #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE **POLICY** #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT net ppp ACCEPT ppp net ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE **RULES** #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net fw icmp 8 ACCEPT ppp fw icmp 8 ACCEPT ppp fw tcp 22 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 1. I understand why this is dropped. It''s from the ''net'' zone to the ''fw'' zone, which is covered in the policy ''net all DROP''. That''s right, isn''t it? Nov 11 14:47:45 pppshell kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:10:5a:e7:97:7e:00:30:19:02:16:40:08:00 SRC=200.1 71.10.117 DST=200.7.69.99 LEN=70 TOS=0x00 PREC=0x00 TTL=108 ID=52551 PROTO=UDP SPT=2629 DPT=53 LEN=50 ========================== 2. I''m not sure why this is being dropped. It''s coming from the ''ppp'' zone, and going to the ''net'' zone. The policy for this is ''ppp net ACCEPT''. Can someone explain this to me? Nov 11 14:39:34 pppshell kernel: Shorewall:newnotsyn:DROP:IN=ppp0 OUT=eth0 SRC=200.7.69.100 DST=204.108.4.142 LEN=677 TOS=0x 00 PREC=0x00 TTL=62 ID=16071 DF PROTO=TCP SPT=64976 DPT=80 WINDOW=8576 RES=0x00 ACK PSH URGP=0 3. Why is this one being DROPed? I would think based on my policy that it should be accepted. It''s going from ''net'' to ''ppp'' and the policy is ''net ppp ACCEPT''. Nov 11 13:24:27 pppshell kernel: Shorewall:newnotsyn:DROP:IN=eth0 OUT=ppp0 SRC=208.254.75.131 DST=200.7.69.100 LEN=418 TOS=0 x00 PREC=0x00 TTL=50 ID=26487 DF PROTO=TCP SPT=80 DPT=64683 WINDOW=8046 RES=0x00 ACK PSH FIN URGP=0
On Monday 17 November 2003 03:49 am, David Hoffman wrote:> I''ve tried reading the documention on the Shorewall site, but I still > have some questions about what I''m seeing in my logs. Can anyone help > with my three questions below?Have you looked at FAQ 17? These questions are all answered there.> > > > 1. I understand why this is dropped. It''s from the ''net'' zone to the > ''fw'' zone, which is covered in the policy ''net all DROP''. That''s > right, isn''t it?Yes.> > Nov 11 14:47:45 pppshell kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:10:5a:e7:97:7e:00:30:19:02:16:40:08:00 SRC=200.1 > 71.10.117 DST=200.7.69.99 LEN=70 TOS=0x00 PREC=0x00 TTL=108 ID=52551 > PROTO=UDP SPT=2629 DPT=53 LEN=50 > ==========================> > 2. I''m not sure why this is being dropped. It''s coming from the ''ppp'' > zone, and going to the ''net'' zone. The policy for this is ''ppp net > ACCEPT''. Can someone explain this to me? > > Nov 11 14:39:34 pppshell kernel: Shorewall:newnotsyn:DROP:IN=ppp0 > OUT=eth0 SRC=200.7.69.100 DST=204.108.4.142 LEN=677 TOS=0x > 00 PREC=0x00 TTL=62 ID=16071 DF PROTO=TCP SPT=64976 DPT=80 > WINDOW=8576 RES=0x00 ACK PSH URGP=0Hint: this traffic and the traffic in your next question is being dropped in the ''newnotsyn'' chain. It is being generated as a result of NEWNOTSYN=No in your shorewall.conf file and not because of rules and policies. You should read about that option. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
>On Monday 17 November 2003 03:49 am, David Hoffman wrote: >> I''ve tried reading the documention on the Shorewall site, but I still >> have some questions about what I''m seeing in my logs. Can anyone help >> with my three questions below? > >Have you looked at FAQ 17? These questions are all answered there.I was afraid you might say that. Yes, I have read that FAQ. I''m still learning and just didn''t understand it all. I''ll go back and read it again.> >> >> >> >> 1. I understand why this is dropped. It''s from the ''net'' zone to the >> ''fw'' zone, which is covered in the policy ''net all DROP''. That''s >> right, isn''t it? > >Yes. > >> >> Nov 11 14:47:45 pppshell kernel: Shorewall:net2all:DROP:IN=eth0 OUT>> MAC=00:10:5a:e7:97:7e:00:30:19:02:16:40:08:00 SRC=200.1 >> 71.10.117 DST=200.7.69.99 LEN=70 TOS=0x00 PREC=0x00 TTL=108 ID=52551 >> PROTO=UDP SPT=2629 DPT=53 LEN=50 >> ==========================>> >> 2. I''m not sure why this is being dropped. It''s coming from the ''ppp'' >> zone, and going to the ''net'' zone. The policy for this is ''ppp net >> ACCEPT''. Can someone explain this to me? >> >> Nov 11 14:39:34 pppshell kernel: Shorewall:newnotsyn:DROP:IN=ppp0 >> OUT=eth0 SRC=200.7.69.100 DST=204.108.4.142 LEN=677 TOS=0x >> 00 PREC=0x00 TTL=62 ID=16071 DF PROTO=TCP SPT=64976 DPT=80 >> WINDOW=8576 RES=0x00 ACK PSH URGP=0 > >Hint: this traffic and the traffic in your next question is being dropped in >the ''newnotsyn'' chain. It is being generated as a result of NEWNOTSYN=No in >your shorewall.conf file and not because of rules and policies. You should >read about that option.OK. Thanks for taking time to respond. I do appreciate it. -- DAvid