Hi experts, SuSE 9.0, Kernel 2.4.21, shorewall 1.4.9 2 interfaces, eth1 is lokal. Config below. If I set policy loc net ACCEPT all works fine. If I set loc net REJECT (as it should) I can''t access the external DNS-Servers after appr. 2 days. With tcpdump I''ve checked the traffic between the internal and external DNS. When it stopped, I see the DNS-traffic only on the internal interface. Directly after the change to REJECT I see the traffic on both interfaces. Is there any buffer/counter which could be "full" after some time? Thanks alot for this great piece of code, which runs one several servers here. Wolfgang interfaces: net eth0 - loc eth1 - routeback masq: eth0 eth1 rules: ACCEPT loc:$MAIL_SEND net tcp 25 ACCEPT loc:$NEWS_INTERN net tcp 119 ACCEPT loc:1.9.200.252 net tcp 2227 ACCEPT net:$VPN_NET loc all ACCEPT loc net:$VPN_NET all ACCEPT loc net tcp 80,443 ACCEPT loc:$BB_INTERN net icmp ACCEPT loc:$BB_INTERN fw icmp ACCEPT loc:$PC_EDV net icmp ACCEPT loc:$PC_EDV fw icmp ACCEPT loc net:212.86.195.198 tcp 1111 ACCEPT loc net:212.86.195.198 tcp 22 ACCEPT loc net:212.86.195.198 tcp 3306 ACCEPT loc net:212.86.195.198 tcp 8080 ACCEPT loc net tcp 20,21 #ACCEPT loc net:212.86.195.198 tcp 20,21 ACCEPT loc:$PROXY_INTERN net tcp www,https ACCEPT loc:$PC_EDV net tcp www,https ACCEPT loc:$SSH_INTERN fw tcp 22 ACCEPT loc:$SSH_INTERN net tcp 22 ACCEPT loc:$TELNET_INTERN net tcp 23 ACCEPT loc:$DNS_INTERN net:$DNS_EXTERN tcp 53 ACCEPT loc:$DNS_INTERN net:$DNS_EXTERN udp 53 ACCEPT loc:$POP_PC net tcp 110 ACCEPT loc:$IMAP_PC net tcp 143 ACCEPT loc:$VSS_INTERN net tcp 1402 ACCEPT loc net:213.144.23.180 tcp 1402 ACCEPT loc loc tcp www ACCEPT loc fw tcp www ACCEPT net:193.192.124.170 loc:1.9.204.1 tcp 23 ACCEPT net:193.192.124.170 loc:1.9.204.2 tcp 23 ACCEPT net:193.192.124.170 loc:1.9.205.252 tcp www ACCEPT net:193.192.124.170 loc:1.9.205.251 udp 53 ACCEPT net:193.192.124.170 loc:1.9.205.254 udp 53 ACCEPT loc net:$YAHOO_SVR tcp 5050 #ACCEPT loc:1.9.205.7 net:128.32.112.245,204.225.124.69 tcp 6667 ACCEPT loc net:$PGP_EXT tcp 11371 ACCEPT loc:$TIME_SRV_INT net:$TIME_SRV_EXT tcp 123 ACCEPT loc:$TIME_SRV_INT net:$TIME_SRV_EXT udp 123 REJECT loc net tcp 25 DNAT net:212.86.195.198 loc:$BB_INTERN tcp 1984 DNAT net loc:$VSS_INTERN tcp 1402 DNAT net loc:$MAIL_RECEIVE tcp 25 DNAT net loc:$SSH_EXTERN tcp 22 -- - IT-Systems - MSC Vertriebs GmbH
Hi Wolfgang> SuSE 9.0, Kernel 2.4.21, shorewall 1.4.9 > 2 interfaces, eth1 is lokal. > Config below. > If I set policy loc net ACCEPT all works fine. > If I set loc net REJECT (as it should) I can''t access the external > DNS-Servers after appr. 2 days. > With tcpdump I''ve checked the traffic between the internal and external > DNS. When it stopped, I see the DNS-traffic only on the internal > interface. Directly after the change to REJECT I see the traffic on both > interfaces.> Is there any buffer/counter which could be "full" after some time?Not really. If you use bind try to set this option on your internal DNS: --- query-source address * port 53; --- What errors does your internal DNS give you? Regards Sascha ------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany knific@k-sysdes.net http://www.k-sysdes.net
Wolfgang Lumpp wrote:> Is there any buffer/counter which could be "full" after some time?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Wolfgang Lumpp wrote: > >> Is there any buffer/counter which could be "full" after some time? > > > No. >There is the possibility that your kernel''s connection tracking table is full but changing your POLICY wouldn''t suddenly correct that problem. If you are experiencing that problem, you should be seeing messages to that effect in your logs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2004-03-24 at 15:04 +0100, Wolfgang Lumpp wrote:> Hi experts, > > SuSE 9.0, Kernel 2.4.21, shorewall 1.4.9 > 2 interfaces, eth1 is lokal. > Config below. > If I set policy loc net ACCEPT all works fine. > If I set loc net REJECT (as it should) I can''t access the external > DNS-Servers after appr. 2 days. > With tcpdump I''ve checked the traffic between the internal and external > DNS. When it stopped, I see the DNS-traffic only on the internal > interface. Directly after the change to REJECT I see the traffic on both > interfaces. > Is there any buffer/counter which could be "full" after some time? > > Thanks alot for this great piece of code, which runs one several servers > here. > > Wolfgang >Can you perform internal resolution? Maybe resolve something that would already be cached? I''ve seen problems like this in the past where things such as logwatch (rotates the log files for various processes) restarts/reloads a daemon and the daemon takes a dirt nap in the process. Certainly worth checking into. -- David T Hollis <dhollis@davehollis.com>