I''m sorry to have to bother the list with this, but I''m missing something obvious and my brain is cramping or something, I cannot find the answer... Here is an entry from my log file: Sep 16 11:12:34 fw kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=00:c0:9f:1e:fa:99:00:07:50:cd:a5:80:08:00 SRC=201.1.7.201 DST=208.10.57.129 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=11155 DF PROTO=TCP SPT=3216 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0 It shows that an incoming connection to port 25 is being blocked, but yet I have this in my rules file: ACCEPT net fw tcp 25 And I know that many connections to port 25 are making it through just fine... What is causing this one to get rejected? Is it something in the packet flags, etc? How can I debug this further? Best Regards and Thanks! Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Palm wrote: | | I''m sorry to have to bother the list with this, but I''m missing | something obvious and my brain is cramping or something, I cannot find | the answer... | | Here is an entry from my log file: | | Sep 16 11:12:34 fw kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT| MAC=00:c0:9f:1e:fa:99:00:07:50:cd:a5:80:08:00 SRC=201.1.7.201 | DST=208.10.57.129 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=11155 DF | PROTO=TCP SPT=3216 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0 | | It shows that an incoming connection to port 25 is being blocked, but | yet I have this in my rules file: | | ACCEPT net fw tcp 25 | | And I know that many connections to port 25 are making it through just | fine... What is causing this one to get rejected? Is it something in | the packet flags, etc? How can I debug this further? | | I suspect that your rfc1918 file is out of date -- get the current one from the Shorewall errata page. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBSb3eO/MAbZfjDLIRAu7hAKDICpKUcGR23FEDzVk1Dt6ie61m5ACgxXBd kmxgBi7tfAwgsdK9uj26zI4=67UM -----END PGP SIGNATURE-----
On Sep 16, 2004, at 11:22 AM, Tom Eastep wrote:> I suspect that your rfc1918 file is out of date -- get the current one > from the Shorewall errata page.Nothing clears the mind like posting to the list so everyone knows how silly you are. :-) I realized that and rebuild it using the python regen script, and it''s much happier now. I''ll compare it with the version on your website to make sure I haven''t bolloxed that up. Thanks Tom! Steve
Just for information: Official IPs allocated to Brazil were always 200.128.0.0/9 since 1995. (http://www.dnsstuff.com/tools/whois.ch?ip=200.128.0.0) Probably they run out. So a new range (201.0.0.0/12) was allocated last year, from the reserved blocks from IANA (i.e. it appeared in previous rfc1918). (http://www.dnsstuff.com/tools/whois.ch?ip=201.0.0.0) These problems only appeared recently because the ISPs started to using them few months ago. Be advised, especially those who still uses 1.4x version, check: http://shorewall.net/1.4/errata.htm and http://shorewall.net/errata.htm -Gilson Soares On Thu, 16 Sep 2004 11:37:51 -0500, Steven Palm <n9yty@n9yty.com> wrote:> > On Sep 16, 2004, at 11:22 AM, Tom Eastep wrote: > > I suspect that your rfc1918 file is out of date -- get the current one > > from the Shorewall errata page. > > Nothing clears the mind like posting to the list so everyone knows how > silly you are. :-) I realized that and rebuild it using the python > regen script, and it''s much happier now. I''ll compare it with the > version on your website to make sure I haven''t bolloxed that up. > > Thanks Tom! > > Steve