Dear List! I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL connection to the Internet (ppp0 - eth1 to the modem) and a bridge to the local lan. The bridged config i''ve made with bridge.html from the shorewall site. The Bridge is between local net and a openvpn tap device. This works. I ccan make tunnels, and a can make a lot of things through the firewall. I can get a list of shares on a samba server in the net, i can make ftp connection, i can make ssh connections. But when i want to connect on a samba share (smbclient //IP/share) or when i mount the share as a network device in windows, and want a listing of all files, i get a timeout. There are no Rejects or Drops or what evere. I tested an read a lot but i don''t find the error. I hope so that anybody has aidea for this problem. Regards. Florian
Florian wrote on 24/09/2004 08:47:43:> I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL connection > to the Internet (ppp0 - eth1 to the modem) and a bridge to the local > lan. The bridged config i''ve made with bridge.html from the shorewall > site. The Bridge is between local net and a openvpn tap device. This > works. I ccan make tunnels, and a can make a lot of things through the > firewall. I can get a list of shares on a samba server in the net, i can > make ftp connection, i can make ssh connections. But when i want to > connect on a samba share (smbclient //IP/share) or when i mount the > share as a network device in windows, and want a listing of all files, i > get a timeout. There are no Rejects or Drops or what evere. I tested an > read a lot but i don''t find the error. I hope so that anybody has aidea > for this problem. >There is something wrong here. Let''s navigate from FORWARD chain on: Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 152 21948 br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 packets coming from the bridge enter this chain (br0_fwd): Chain br0_fwd (1 references) pkts bytes target prot opt in out source destination 89 17880 all2all all -- * br0 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth0 --physdev-out tap0 hummm... a packet coming from br0 to br0 (via eth0 to tap0) goes to all2all chain. that''s not good: Chain all2all (2 references) pkts bytes target prot opt in out source destination 35 5296 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 because they must be tested against chain Reject: Chain Reject (5 references) pkts bytes target prot opt in out source destination 9 2064 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 where they are sent to RejectSMB, where they are silently rejected: Chain RejectSMB (1 references) pkts bytes target prot opt in out source destination 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 8 2004 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 look up your policy and rules file. something wrong there. hope it helps,> Regards. > > Florian > [attachment "status.txt" deleted by Eduardo Ferreira/ICATU] > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm
Hi, i?m desperated. I?ve changed a lot and nothing works. I?ve changed in the interfaces file the global device (- br0 options) to a single device to loc br0 options. In the hosts file, i made no settings. rules: AllowSSH net fw AllowSSH loc fw AllowSSH fw loc #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE policy: fw net ACCEPT fw loc ACCEPT loc net ACCEPT loc fw ACCEPT net all DROP ULOG # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT ULOG So what is wrong. I hope anybody can help. Regards Florian -----Ursprungliche Nachricht----- Von: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von Eduardo Ferreira Gesendet: Freitag, 24. September 2004 15:04 An: Mailing List for Shorewall Users Betreff: Re: [Shorewall-users] hopeless - smb over bridged firewall Florian wrote on 24/09/2004 08:47:43:> I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL connection > to the Internet (ppp0 - eth1 to the modem) and a bridge to the local > lan. The bridged config i''ve made with bridge.html from the shorewall > site. The Bridge is between local net and a openvpn tap device. This > works. I ccan make tunnels, and a can make a lot of things through the > firewall. I can get a list of shares on a samba server in the net, i can > make ftp connection, i can make ssh connections. But when i want to > connect on a samba share (smbclient //IP/share) or when i mount the > share as a network device in windows, and want a listing of all files, i > get a timeout. There are no Rejects or Drops or what evere. I tested an > read a lot but i don''t find the error. I hope so that anybody has aidea > for this problem. >There is something wrong here. Let''s navigate from FORWARD chain on: Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 152 21948 br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 packets coming from the bridge enter this chain (br0_fwd): Chain br0_fwd (1 references) pkts bytes target prot opt in out source destination 89 17880 all2all all -- * br0 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth0 --physdev-out tap0 hummm... a packet coming from br0 to br0 (via eth0 to tap0) goes to all2all chain. that''s not good: Chain all2all (2 references) pkts bytes target prot opt in out source destination 35 5296 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 because they must be tested against chain Reject: Chain Reject (5 references) pkts bytes target prot opt in out source destination 9 2064 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 where they are sent to RejectSMB, where they are silently rejected: Chain RejectSMB (1 references) pkts bytes target prot opt in out source destination 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 8 2004 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 look up your policy and rules file. something wrong there. hope it helps,> Regards. > > Florian > [attachment "status.txt" deleted by Eduardo Ferreira/ICATU] > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users Support: shorewall.net/support.htm FAQ: shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Didszun wrote: | Hi, | | i?m desperated. | | I?ve changed a lot and nothing works. That''s clearly not true (Shorewall is starting for example) -- please tell us what you are trying to do and what the results are. Because I don''t see anything obviously wrong in the status output. So what EXACTLY doesn''t work? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - enigmail.mozdev.org iD8DBQFBVgUtO/MAbZfjDLIRAmffAKCvc9KWUDES3MymNaqWRuQO+qPJRACeMfXz 5hBOldxf/hmzZTAbuTAFbR0=diZr -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Florian Didszun wrote: | | Hi, | | | | i?m desperated. | | | | I?ve changed a lot and nothing works. | | That''s clearly not true (Shorewall is starting for example) -- please | tell us what you are trying to do and what the results are. Because I | don''t see anything obviously wrong in the status output. | | So what EXACTLY doesn''t work? And if the problem is that SMB still doesn''t work over the bridge, if you "shorewall clear" does it work? If not, then your problem has absolutely nothing to do with Shorewall. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - enigmail.mozdev.org iD8DBQFBVgp1O/MAbZfjDLIRAjGFAKCKN21Bd3DC80cZVIwCTka6il8cSgCgjv2S oAMeSmfrMGIRlacvCaA71to=zjq3 -----END PGP SIGNATURE-----
Thanks a lot. Thats was a goog idea. I had to test it much earlier with disabled firewall. It doesn''t work with disabled shorewall, too. I must to check the tunnel and bridge stuff, strange. Thanks. Regards Florian Am So, den 26.09.2004 schrieb Tom Eastep um 2:16:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > | Florian Didszun wrote: > | | Hi, > | | > | | i?m desperated. > | | > | | I?ve changed a lot and nothing works. > | > | That''s clearly not true (Shorewall is starting for example) -- please > | tell us what you are trying to do and what the results are. Because I > | don''t see anything obviously wrong in the status output. > | > | So what EXACTLY doesn''t work? > > And if the problem is that SMB still doesn''t work over the bridge, if > you "shorewall clear" does it work? If not, then your problem has > absolutely nothing to do with Shorewall. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - enigmail.mozdev.org > > iD8DBQFBVgp1O/MAbZfjDLIRAjGFAKCKN21Bd3DC80cZVIwCTka6il8cSgCgjv2S > oAMeSmfrMGIRlacvCaA71to> =zjq3 > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Didszun wrote: | Thanks a lot. Thats was a goog idea. I had to test it much earlier with | disabled firewall. It doesn''t work with disabled shorewall, too. I must | to check the tunnel and bridge stuff, strange. | | Thanks. | You might try disabling Shorewall startup at boot time and reboot; does SMB work through the bridge in that case? I have a feeling that one of the Netfilter modules that Shorewall is causing to be loaded is breaking the bridge code. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - enigmail.mozdev.org iD4DBQFBVwFHO/MAbZfjDLIRAkf8AJj6SiDr4ugF0DY1Rnyv4IfMsj5dAJ0b8rvP v5H2aiTU3ZjH28wEAOx+6g==mST9 -----END PGP SIGNATURE-----
Axel Westerhold
2004-Sep-27 17:02 UTC
Re: ***SPAM*** Re: hopeless - smb over bridged firewall
Mmmh, if you SSH and do a ps -aux or a long ls -lah or something similar, does it still work or does it freeze too ? I am asking because I ran into a few MTU size issues lately which always resulted in tunnels coming up and most basic stuff like simple SSH or telnet working fine but with a bigger amount of data it started freezing without any hint in any firewall or VPN log. Axel Westerhold Technical Lead Congos Inc. Axel@congos-tools.com Tel.: 0049 5732 688040 Florian Didszun wrote:> Hi, > > i?m desperated. > > I?ve changed a lot and nothing works. I?ve changed in the interfaces file > the global device (- br0 options) to a single device to loc br0 options. > > In the hosts file, i made no settings. > > rules: > AllowSSH net fw > AllowSSH loc fw > AllowSSH fw loc > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > policy: > fw net ACCEPT > fw loc ACCEPT > loc net ACCEPT > loc fw ACCEPT > net all DROP ULOG > # > # THE FOLLOWING POLICY MUST BE LAST > # > all all REJECT ULOG > > So what is wrong. I hope anybody can help. > > Regards > > Florian > > > -----Ursprungliche Nachricht----- > Von: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von > Eduardo Ferreira > Gesendet: Freitag, 24. September 2004 15:04 > An: Mailing List for Shorewall Users > Betreff: Re: [Shorewall-users] hopeless - smb over bridged firewall > > > Florian wrote on 24/09/2004 08:47:43: > > > I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL connection > > to the Internet (ppp0 - eth1 to the modem) and a bridge to the local > > lan. The bridged config i''ve made with bridge.html from the shorewall > > site. The Bridge is between local net and a openvpn tap device. This > > works. I ccan make tunnels, and a can make a lot of things through the > > firewall. I can get a list of shares on a samba server in the net, i can > > make ftp connection, i can make ssh connections. But when i want to > > connect on a samba share (smbclient //IP/share) or when i mount the > > share as a network device in windows, and want a listing of all files, i > > get a timeout. There are no Rejects or Drops or what evere. I tested an > > read a lot but i don''t find the error. I hope so that anybody has aidea > > for this problem. > > > There is something wrong here. Let''s navigate from FORWARD chain on: > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 152 21948 br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 > > packets coming from the bridge enter this chain (br0_fwd): > Chain br0_fwd (1 references) > pkts bytes target prot opt in out source destination > 89 17880 all2all all -- * br0 0.0.0.0/0 0.0.0.0/0 > PHYSDEV match --physdev-in eth0 --physdev-out tap0 > > hummm... a packet coming from br0 to br0 (via eth0 to tap0) goes to > all2all chain. that''s not good: > Chain all2all (2 references) > pkts bytes target prot opt in out source destination > 35 5296 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > because they must be tested against chain Reject: > Chain Reject (5 references) > pkts bytes target prot opt in out source destination > 9 2064 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 > > where they are sent to RejectSMB, where they are silently rejected: > Chain RejectSMB (1 references) > pkts bytes target prot opt in out source destination > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > dpt:135 > 8 2004 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > dpts:137:139 > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > dpt:445 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > dpt:135 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > dpt:139 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > dpt:445 > > look up your policy and rules file. something wrong there. > > hope it helps, > > > Regards. > > > > Florian > > [attachment "status.txt" deleted by Eduardo Ferreira/ICATU] > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: lists.shorewall. > > net/mailman/listinfo/shorewall-users > > Support: shorewall.net/support.htm > > FAQ: shorewall.net/FAQ.htm > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm > > > ------------------------------------------------------------------------ > > [H[2JShorewall-2.0.8 Status at blaster - Sat Sep 25 23:12:42 CEST 2004 > > Counters reset Sat Sep 25 23:11:21 CEST 2004 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID > 128 13152 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 > 2 351 br0_in all -- br0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=INPUT:1 a=REJECT '' queue_threshold 1 > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID > 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 > 43 14875 br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=FORWARD:1 a=REJECT '' queue_threshold 1 > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID > 0 0 ACCEPT udp -- * br0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 194 28020 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 > 1 90 fw2loc all -- * br0 0.0.0.0/0 0.0.0.0/0 > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=OUTPUT:1 a=REJECT '' queue_threshold 1 > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain AllowSSH (3 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > > Chain Drop (1 references) > pkts bytes target prot opt in out source destination > 3 144 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 > 3 144 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 3 144 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 3 144 DropSMB all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain DropDNSrep (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 > > Chain DropSMB (1 references) > pkts bytes target prot opt in out source destination > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 > 3 144 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 > > Chain DropUPnP (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 > > Chain Reject (4 references) > pkts bytes target prot opt in out source destination > 0 0 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain RejectAuth (2 references) > pkts bytes target prot opt in out source destination > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 > > Chain RejectSMB (1 references) > pkts bytes target prot opt in out source destination > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 > > Chain all2all (0 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=all2all:1 a=REJECT '' queue_threshold 1 > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain br0_fwd (1 references) > pkts bytes target prot opt in out source destination > 5 495 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW > 5 240 loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 > 38 14635 ACCEPT all -- * br0 0.0.0.0/0 0.0.0.0/0 > > Chain br0_in (1 references) > pkts bytes target prot opt in out source destination > 2 351 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 > 2 351 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain dropBcast (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast > > Chain dropInvalid (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID > > Chain dropNotSyn (2 references) > pkts bytes target prot opt in out source destination > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 > > Chain dynamic (4 references) > pkts bytes target prot opt in out source destination > > Chain fw2loc (1 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 1 90 AllowSSH all -- * * 0.0.0.0/0 0.0.0.0/0 > 1 90 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain fw2net (1 references) > pkts bytes target prot opt in out source destination > 194 28020 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT udp -- * * 0.0.0.0/0 213.54.197.136 udp spt:7777 dpt:7777 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain icmpdef (0 references) > pkts bytes target prot opt in out source destination > > Chain loc2fw (1 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 2 351 AllowSSH all -- * * 0.0.0.0/0 0.0.0.0/0 > 2 351 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain loc2net (1 references) > pkts bytes target prot opt in out source destination > 5 240 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net2all (2 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 3 144 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=net2all:1 a=DROP '' queue_threshold 1 > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain net2fw (1 references) > pkts bytes target prot opt in out source destination > 125 13008 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT udp -- * * 213.54.197.136 0.0.0.0/0 udp spt:7777 dpt:7777 > 3 144 AllowSSH all -- * * 0.0.0.0/0 0.0.0.0/0 > 3 144 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain ppp0_fwd (1 references) > pkts bytes target prot opt in out source destination > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW > 0 0 net2all all -- * br0 0.0.0.0/0 0.0.0.0/0 > > Chain ppp0_in (1 references) > pkts bytes target prot opt in out source destination > 3 144 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW > 128 13152 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain reject (11 references) > pkts bytes target prot opt in out source destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast > 0 0 DROP all -- * * 192.168.11.255 0.0.0.0/0 > 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 > 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 > 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset > 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable > 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > > Chain shorewall (0 references) > pkts bytes target prot opt in out source destination > > Chain smurfs (0 references) > pkts bytes target prot opt in out source destination > 0 0 ULOG all -- * * 192.168.11.255 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:1 a=DROP '' queue_threshold 1 > 0 0 DROP all -- * * 192.168.11.255 0.0.0.0/0 > 0 0 ULOG all -- * * 255.255.255.255 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:2 a=DROP '' queue_threshold 1 > 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 > 0 0 ULOG all -- * * 224.0.0.0/4 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:3 a=DROP '' queue_threshold 1 > 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=67.180.168.30 DST=212.202.210.90 LEN=404 TOS=00 PREC=0x00 TTL=113 ID=64773 CE PROTO=UDP SPT=4230 DPT=1434 LEN=384 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31714 DF PROTO=TCP SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31715 DF PROTO=TCP SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31716 DF PROTO=TCP SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31717 DF PROTO=TCP SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=41 ID=28871 DF PROTO=TCP SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28873 DF PROTO=TCP SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28874 DF PROTO=TCP SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61896 CE DF PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61897 CE DF PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61898 CE DF PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61899 CE DF PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57824 CE DF PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57825 CE DF PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57826 CE DF PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57827 CE DF PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21140 DF PROTO=TCP SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21141 DF PROTO=TCP SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21142 DF PROTO=TCP SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21143 DF PROTO=TCP SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > NAT Table > > Chain PREROUTING (policy ACCEPT 287K packets, 17M bytes) > pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 115K packets, 9065K bytes) > pkts bytes target prot opt in out source destination > 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 105K packets, 7230K bytes) > pkts bytes target prot opt in out source destination > > Chain ppp0_masq (1 references) > pkts bytes target prot opt in out source destination > 0 0 MASQUERADE all -- * * 192.168.11.0/24 0.0.0.0/0 > > Mangle Table > > Chain PREROUTING (policy ACCEPT 2612K packets, 1089M bytes) > pkts bytes target prot opt in out source destination > 174 28299 pretos all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain INPUT (policy ACCEPT 2471K packets, 991M bytes) > pkts bytes target prot opt in out source destination > > Chain FORWARD (policy ACCEPT 161K packets, 101M bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 2546K packets, 995M bytes) > pkts bytes target prot opt in out source destination > 198 28282 outtos all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 2709K packets, 1096M bytes) > pkts bytes target prot opt in out source destination > > Chain outtos (1 references) > pkts bytes target prot opt in out source destination > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 > 133 8056 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 > > Chain pretos (1 references) > pkts bytes target prot opt in out source destination > 101 9240 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 > 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 > > tcp 6 431591 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 sport=33029 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 dport=33029 [ASSURED] use=1 > tcp 6 16 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 sport=3196 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 dport=3196 [ASSURED] use=1 > tcp 6 264747 ESTABLISHED src=192.168.11.11 dst=192.168.11.62 sport=139 dport=1032 [UNREPLIED] src=192.168.11.62 dst=192.168.11.11 sport=1032 dport=139 use=1 > tcp 6 9 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 sport=3194 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 dport=3194 [ASSURED] use=1 > udp 17 178 src=212.202.210.90 dst=213.54.197.136 sport=7777 dport=7777 src=213.54.197.136 dst=212.202.210.90 sport=7777 dport=7777 [ASSURED] use=1 > udp 17 23 src=192.168.11.11 dst=192.168.11.1 sport=32868 dport=53 src=192.168.11.1 dst=192.168.11.11 sport=53 dport=32868 [ASSURED] use=1 > udp 17 91 src=192.168.11.1 dst=192.168.11.1 sport=1345 dport=53 src=192.168.11.1 dst=192.168.11.1 sport=53 dport=1345 [ASSURED] use=1 > tcp 6 30 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 sport=3200 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 dport=3200 [ASSURED] use=1 > tcp 6 20 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 sport=3197 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 dport=3197 [ASSURED] use=1 > tcp 6 431998 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 sport=34561 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 dport=34561 [ASSURED] use=1 > unknown 2 195 src=192.168.11.150 dst=224.0.0.22 [UNREPLIED] src=224.0.0.22 dst=192.168.11.150 use=1 > tcp 6 431983 ESTABLISHED src=192.168.11.150 dst=192.168.11.11 sport=3305 dport=139 src=192.168.11.11 dst=192.168.11.150 sport=139 dport=3305 [ASSURED] use=1 > tcp 6 54 SYN_RECV src=192.168.1.30 dst=192.168.11.11 sport=3306 dport=139 src=192.168.11.11 dst=192.168.1.30 sport=139 dport=3306 use=1 > tcp 6 23 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 sport=3198 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 dport=3198 [ASSURED] use=1 > > IP Configuration > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff > inet6 fe80::201:2ff:fe10:773a/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:50:ba:c9:be:76 brd ff:ff:ff:ff:ff:ff > inet6 fe80::250:baff:fec9:be76/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > 6: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:ff:a6:07:65:f7 brd ff:ff:ff:ff:ff:ff > inet6 fe80::2ff:a6ff:fe07:65f7/64 scope link > valid_lft forever preferred_lft forever > 7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff > inet 192.168.11.1/24 brd 192.168.11.255 scope global br0 > inet6 fe80::201:2ff:fe10:773a/64 scope link > valid_lft forever preferred_lft forever > 11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3 > link/ppp > inet 212.202.210.90 peer 213.148.128.18/32 scope global ppp0 > > Routing Rules > > 0: from all lookup local > 32766: from all lookup main > 32767: from all lookup default > > Table local: > > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > local 192.168.11.1 dev br0 proto kernel scope host src 192.168.11.1 > broadcast 192.168.11.0 dev br0 proto kernel scope link src 192.168.11.1 > broadcast 192.168.11.255 dev br0 proto kernel scope link src 192.168.11.1 > local 212.202.210.90 dev ppp0 proto kernel scope host src 212.202.210.90 > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > Table main: > > 213.148.128.18 dev ppp0 proto kernel scope link src 212.202.210.90 > 192.168.11.0/24 dev br0 proto kernel scope link src 192.168.11.1 > default via 213.148.128.18 dev ppp0 > > Table default: > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm
I apologize for the SPAM Tag in the Subject. I simply forgot to remove it and had no time to find out why it actually is set for this kind of mails. Axel Westerhold Technical Lead Congos Inc. Axel@congos-tools.com Tel.: 0049 5732 688040 Axel Westerhold wrote:> Mmmh, if you SSH and do a ps -aux or a long ls -lah or something > similar, does it still work or does it freeze too ? > > I am asking because I ran into a few MTU size issues lately which always > resulted in tunnels coming up and most basic stuff like simple SSH or > telnet working fine but with a bigger amount of data it started freezing > without any hint in any firewall or VPN log. > > > Axel Westerhold > Technical Lead > Congos Inc. > Axel@congos-tools.com > Tel.: 0049 5732 688040 > > > > Florian Didszun wrote: > > Hi, > > > > i?m desperated. > > > > I?ve changed a lot and nothing works. I?ve changed in the interfaces file > > the global device (- br0 options) to a single device to loc br0 options. > > > > In the hosts file, i made no settings. > > > > rules: > > AllowSSH net fw > > AllowSSH loc fw > > AllowSSH fw loc > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > policy: > > fw net ACCEPT > > fw loc ACCEPT > > loc net ACCEPT > > loc fw ACCEPT > > net all DROP ULOG > > # > > # THE FOLLOWING POLICY MUST BE LAST > > # > > all all REJECT ULOG > > > > So what is wrong. I hope anybody can help. > > > > Regards > > > > Florian > > > > > > -----Ursprungliche Nachricht----- > > Von: shorewall-users-bounces@lists.shorewall.net > > [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von > > Eduardo Ferreira > > Gesendet: Freitag, 24. September 2004 15:04 > > An: Mailing List for Shorewall Users > > Betreff: Re: [Shorewall-users] hopeless - smb over bridged firewall > > > > > > Florian wrote on 24/09/2004 08:47:43: > > > > > I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL > connection > > > to the Internet (ppp0 - eth1 to the modem) and a bridge to the local > > > lan. The bridged config i''ve made with bridge.html from the shorewall > > > site. The Bridge is between local net and a openvpn tap device. This > > > works. I ccan make tunnels, and a can make a lot of things through the > > > firewall. I can get a list of shares on a samba server in the net, > i can > > > make ftp connection, i can make ssh connections. But when i want to > > > connect on a samba share (smbclient //IP/share) or when i mount the > > > share as a network device in windows, and want a listing of all > files, i > > > get a timeout. There are no Rejects or Drops or what evere. I > tested an > > > read a lot but i don''t find the error. I hope so that anybody has > aidea > > > for this problem. > > > > > There is something wrong here. Let''s navigate from FORWARD chain on: > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 152 21948 br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 > > > > packets coming from the bridge enter this chain (br0_fwd): > > Chain br0_fwd (1 references) > > pkts bytes target prot opt in out source destination > > 89 17880 all2all all -- * br0 0.0.0.0/0 0.0.0.0/0 > > PHYSDEV match --physdev-in eth0 --physdev-out tap0 > > > > hummm... a packet coming from br0 to br0 (via eth0 to tap0) goes to > > all2all chain. that''s not good: > > Chain all2all (2 references) > > pkts bytes target prot opt in out source destination > > 35 5296 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > because they must be tested against chain Reject: > > Chain Reject (5 references) > > pkts bytes target prot opt in out source destination > > 9 2064 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > where they are sent to RejectSMB, where they are silently rejected: > > Chain RejectSMB (1 references) > > pkts bytes target prot opt in out source destination > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > > dpt:135 > > 8 2004 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > > dpts:137:139 > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > > dpt:445 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:135 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:139 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:445 > > > > look up your policy and rules file. something wrong there. > > > > hope it helps, > > > > > Regards. > > > > > > Florian > > > [attachment "status.txt" deleted by Eduardo Ferreira/ICATU] > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: lists.shorewall. > > > net/mailman/listinfo/shorewall-users > > > Support: shorewall.net/support.htm > > > FAQ: shorewall.net/FAQ.htm > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: shorewall.net/support.htm > > FAQ: shorewall.net/FAQ.htm > > > > > > ------------------------------------------------------------------------ > > > > [H[2JShorewall-2.0.8 Status at blaster - Sat Sep 25 23:12:42 CEST 2004 > > > > Counters reset Sat Sep 25 23:11:21 CEST 2004 > > > > Chain INPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > 128 13152 ppp0_in all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 > > 2 351 br0_in all -- br0 * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=INPUT:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 > > 43 14875 br0_fwd all -- br0 * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=FORWARD:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > 0 0 ACCEPT udp -- * br0 0.0.0.0/0 > 0.0.0.0/0 udp dpts:67:68 > > 194 28020 fw2net all -- * ppp0 0.0.0.0/0 > 0.0.0.0/0 > > 1 90 fw2loc all -- * br0 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=OUTPUT:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain AllowSSH (3 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 > > > > Chain Drop (1 references) > > pkts bytes target prot opt in out source > destination > > 3 144 RejectAuth all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 dropBcast all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 dropInvalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 DropSMB all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropUPnP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropNotSyn all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropDNSrep all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain DropDNSrep (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 > > > > Chain DropSMB (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:135 > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:137:139 > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:445 > > 0 0 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:135 > > 0 0 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:139 > > 3 144 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:445 > > > > Chain DropUPnP (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:1900 > > > > Chain Reject (4 references) > > pkts bytes target prot opt in out source > destination > > 0 0 RejectAuth all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropBcast all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropInvalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 RejectSMB all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropUPnP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropNotSyn all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropDNSrep all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain RejectAuth (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:113 > > > > Chain RejectSMB (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 reject udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:135 > > 0 0 reject udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:137:139 > > 0 0 reject udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:445 > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:135 > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:139 > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:445 > > > > Chain all2all (0 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=all2all:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain br0_fwd (1 references) > > pkts bytes target prot opt in out source > destination > > 5 495 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 5 240 loc2net all -- * ppp0 0.0.0.0/0 > 0.0.0.0/0 > > 38 14635 ACCEPT all -- * br0 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain br0_in (1 references) > > pkts bytes target prot opt in out source > destination > > 2 351 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:67:68 > > 2 351 loc2fw all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain dropBcast (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = broadcast > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = multicast > > > > Chain dropInvalid (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > > > Chain dropNotSyn (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp flags:!0x16/0x02 > > > > Chain dynamic (4 references) > > pkts bytes target prot opt in out source > destination > > > > Chain fw2loc (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 1 90 AllowSSH all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 1 90 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain fw2net (1 references) > > pkts bytes target prot opt in out source > destination > > 194 28020 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 213.54.197.136 udp spt:7777 dpt:7777 > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain icmpdef (0 references) > > pkts bytes target prot opt in out source > destination > > > > Chain loc2fw (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 2 351 AllowSSH all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 2 351 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain loc2net (1 references) > > pkts bytes target prot opt in out source > destination > > 5 240 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain net2all (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 3 144 Drop all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=net2all:1 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain net2fw (1 references) > > pkts bytes target prot opt in out source > destination > > 125 13008 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT udp -- * * 213.54.197.136 > 0.0.0.0/0 udp spt:7777 dpt:7777 > > 3 144 AllowSSH all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 net2all all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain ppp0_fwd (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 0 0 net2all all -- * br0 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain ppp0_in (1 references) > > pkts bytes target prot opt in out source > destination > > 3 144 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 128 13152 net2fw all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain reject (11 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = broadcast > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = multicast > > 0 0 DROP all -- * * 192.168.11.255 > 0.0.0.0/0 > > 0 0 DROP all -- * * 255.255.255.255 > 0.0.0.0/0 > > 0 0 DROP all -- * * 224.0.0.0/4 > 0.0.0.0/0 > > 0 0 REJECT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with tcp-reset > > 0 0 REJECT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-host-unreachable > > 0 0 REJECT all -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-host-prohibited > > > > Chain shorewall (0 references) > > pkts bytes target prot opt in out source > destination > > > > Chain smurfs (0 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ULOG all -- * * 192.168.11.255 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:1 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 192.168.11.255 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 255.255.255.255 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:2 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 255.255.255.255 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 224.0.0.0/4 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:3 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 224.0.0.0/4 > 0.0.0.0/0 > > > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=67.180.168.30 > DST=212.202.210.90 LEN=404 TOS=00 PREC=0x00 TTL=113 ID=64773 CE > PROTO=UDP SPT=4230 DPT=1434 LEN=384 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31714 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31715 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31716 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31717 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 > DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=41 ID=28871 DF PROTO=TCP > SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 > DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28873 DF PROTO=TCP > SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 > DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28874 DF PROTO=TCP > SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61896 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61897 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61898 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61899 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57824 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57825 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57826 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57827 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21140 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21141 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21142 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21143 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > > > NAT Table > > > > Chain PREROUTING (policy ACCEPT 287K packets, 17M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain POSTROUTING (policy ACCEPT 115K packets, 9065K bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain OUTPUT (policy ACCEPT 105K packets, 7230K bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain ppp0_masq (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 MASQUERADE all -- * * 192.168.11.0/24 > 0.0.0.0/0 > > > > Mangle Table > > > > Chain PREROUTING (policy ACCEPT 2612K packets, 1089M bytes) > > pkts bytes target prot opt in out source > destination > > 174 28299 pretos all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain INPUT (policy ACCEPT 2471K packets, 991M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain FORWARD (policy ACCEPT 161K packets, 101M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain OUTPUT (policy ACCEPT 2546K packets, 995M bytes) > > pkts bytes target prot opt in out source > destination > > 198 28282 outtos all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain POSTROUTING (policy ACCEPT 2709K packets, 1096M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain outtos (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 TOS set 0x10 > > 133 8056 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:22 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:20 TOS set 0x08 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:20 TOS set 0x08 > > > > Chain pretos (1 references) > > pkts bytes target prot opt in out source > destination > > 101 9240 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:22 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:20 TOS set 0x08 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:20 TOS set 0x08 > > > > tcp 6 431591 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 > sport=33029 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 > dport=33029 [ASSURED] use=1 > > tcp 6 16 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3196 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3196 [ASSURED] use=1 > > tcp 6 264747 ESTABLISHED src=192.168.11.11 dst=192.168.11.62 > sport=139 dport=1032 [UNREPLIED] src=192.168.11.62 dst=192.168.11.11 > sport=1032 dport=139 use=1 > > tcp 6 9 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3194 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3194 [ASSURED] use=1 > > udp 17 178 src=212.202.210.90 dst=213.54.197.136 sport=7777 > dport=7777 src=213.54.197.136 dst=212.202.210.90 sport=7777 dport=7777 > [ASSURED] use=1 > > udp 17 23 src=192.168.11.11 dst=192.168.11.1 sport=32868 > dport=53 src=192.168.11.1 dst=192.168.11.11 sport=53 dport=32868 > [ASSURED] use=1 > > udp 17 91 src=192.168.11.1 dst=192.168.11.1 sport=1345 dport=53 > src=192.168.11.1 dst=192.168.11.1 sport=53 dport=1345 [ASSURED] use=1 > > tcp 6 30 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3200 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3200 [ASSURED] use=1 > > tcp 6 20 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3197 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3197 [ASSURED] use=1 > > tcp 6 431998 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 > sport=34561 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 > dport=34561 [ASSURED] use=1 > > unknown 2 195 src=192.168.11.150 dst=224.0.0.22 [UNREPLIED] > src=224.0.0.22 dst=192.168.11.150 use=1 > > tcp 6 431983 ESTABLISHED src=192.168.11.150 dst=192.168.11.11 > sport=3305 dport=139 src=192.168.11.11 dst=192.168.11.150 sport=139 > dport=3305 [ASSURED] use=1 > > tcp 6 54 SYN_RECV src=192.168.1.30 dst=192.168.11.11 sport=3306 > dport=139 src=192.168.11.11 dst=192.168.1.30 sport=139 dport=3306 use=1 > > tcp 6 23 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3198 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3198 [ASSURED] use=1 > > > > IP Configuration > > > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > valid_lft forever preferred_lft forever > > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast > qlen 1000 > > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff > > inet6 fe80::201:2ff:fe10:773a/64 scope link > > valid_lft forever preferred_lft forever > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:50:ba:c9:be:76 brd ff:ff:ff:ff:ff:ff > > inet6 fe80::250:baff:fec9:be76/64 scope link > > valid_lft forever preferred_lft forever > > 4: sit0: <NOARP> mtu 1480 qdisc noop > > link/sit 0.0.0.0 brd 0.0.0.0 > > 6: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast > qlen 1000 > > link/ether 00:ff:a6:07:65:f7 brd ff:ff:ff:ff:ff:ff > > inet6 fe80::2ff:a6ff:fe07:65f7/64 scope link > > valid_lft forever preferred_lft forever > > 7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue > > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff > > inet 192.168.11.1/24 brd 192.168.11.255 scope global br0 > > inet6 fe80::201:2ff:fe10:773a/64 scope link > > valid_lft forever preferred_lft forever > > 11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast > qlen 3 > > link/ppp > > inet 212.202.210.90 peer 213.148.128.18/32 scope global ppp0 > > > > Routing Rules > > > > 0: from all lookup local > > 32766: from all lookup main > > 32767: from all lookup default > > > > Table local: > > > > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > > local 192.168.11.1 dev br0 proto kernel scope host src 192.168.11.1 > > broadcast 192.168.11.0 dev br0 proto kernel scope link src > 192.168.11.1 > > broadcast 192.168.11.255 dev br0 proto kernel scope link src > 192.168.11.1 > > local 212.202.210.90 dev ppp0 proto kernel scope host src > 212.202.210.90 > > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > > > Table main: > > > > 213.148.128.18 dev ppp0 proto kernel scope link src 212.202.210.90 > > 192.168.11.0/24 dev br0 proto kernel scope link src 192.168.11.1 > > default via 213.148.128.18 dev ppp0 > > > > Table default: > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: shorewall.net/support.htm > > FAQ: shorewall.net/FAQ.htm > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm >
Hi, i restarted my System with disabled shorewall and without any netfilter modules. And it doesn´t work. Your assumption was right. When i ssh on the machine and i do a ps aux, than it freeze. I use mtu 1500. HAve you any ideas?? cheers Florian -----Ursprüngliche Nachricht----- Von: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von Axel Westerhold Gesendet: Montag, 27. September 2004 19:15 An: Mailing List for Shorewall Users Betreff: Re: [Shorewall-users] hopeless - smb over bridgedfirewall I apologize for the SPAM Tag in the Subject. I simply forgot to remove it and had no time to find out why it actually is set for this kind of mails. Axel Westerhold Technical Lead Congos Inc. Axel@congos-tools.com Tel.: 0049 5732 688040 Axel Westerhold wrote:> Mmmh, if you SSH and do a ps -aux or a long ls -lah or something > similar, does it still work or does it freeze too ? > > I am asking because I ran into a few MTU size issues lately which always > resulted in tunnels coming up and most basic stuff like simple SSH or > telnet working fine but with a bigger amount of data it started freezing > without any hint in any firewall or VPN log. > > > Axel Westerhold > Technical Lead > Congos Inc. > Axel@congos-tools.com > Tel.: 0049 5732 688040 > > > > Florian Didszun wrote: > > Hi, > > > > i?m desperated. > > > > I?ve changed a lot and nothing works. I?ve changed in the interfaces file > > the global device (- br0 options) to a single device to loc br0 options. > > > > In the hosts file, i made no settings. > > > > rules: > > AllowSSH net fw > > AllowSSH loc fw > > AllowSSH fw loc > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > policy: > > fw net ACCEPT > > fw loc ACCEPT > > loc net ACCEPT > > loc fw ACCEPT > > net all DROP ULOG > > # > > # THE FOLLOWING POLICY MUST BE LAST > > # > > all all REJECT ULOG > > > > So what is wrong. I hope anybody can help. > > > > Regards > > > > Florian > > > > > > -----Ursprungliche Nachricht----- > > Von: shorewall-users-bounces@lists.shorewall.net > > [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von > > Eduardo Ferreira > > Gesendet: Freitag, 24. September 2004 15:04 > > An: Mailing List for Shorewall Users > > Betreff: Re: [Shorewall-users] hopeless - smb over bridged firewall > > > > > > Florian wrote on 24/09/2004 08:47:43: > > > > > I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL > connection > > > to the Internet (ppp0 - eth1 to the modem) and a bridge to the local > > > lan. The bridged config i''ve made with bridge.html from the shorewall > > > site. The Bridge is between local net and a openvpn tap device. This > > > works. I ccan make tunnels, and a can make a lot of things through the > > > firewall. I can get a list of shares on a samba server in the net, > i can > > > make ftp connection, i can make ssh connections. But when i want to > > > connect on a samba share (smbclient //IP/share) or when i mount the > > > share as a network device in windows, and want a listing of all > files, i > > > get a timeout. There are no Rejects or Drops or what evere. I > tested an > > > read a lot but i don''t find the error. I hope so that anybody has > aidea > > > for this problem. > > > > > There is something wrong here. Let''s navigate from FORWARD chain on: > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source destination > > 152 21948 br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 > > > > packets coming from the bridge enter this chain (br0_fwd): > > Chain br0_fwd (1 references) > > pkts bytes target prot opt in out source destination > > 89 17880 all2all all -- * br0 0.0.0.0/0 0.0.0.0/0 > > PHYSDEV match --physdev-in eth0 --physdev-out tap0 > > > > hummm... a packet coming from br0 to br0 (via eth0 to tap0) goes to > > all2all chain. that''s not good: > > Chain all2all (2 references) > > pkts bytes target prot opt in out source destination > > 35 5296 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > because they must be tested against chain Reject: > > Chain Reject (5 references) > > pkts bytes target prot opt in out source destination > > 9 2064 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 > > > > where they are sent to RejectSMB, where they are silently rejected: > > Chain RejectSMB (1 references) > > pkts bytes target prot opt in out source destination > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > > dpt:135 > > 8 2004 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > > dpts:137:139 > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp > > dpt:445 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:135 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:139 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > > dpt:445 > > > > look up your policy and rules file. something wrong there. > > > > hope it helps, > > > > > Regards. > > > > > > Florian > > > [attachment "status.txt" deleted by Eduardo Ferreira/ICATU] > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: lists.shorewall. > > > net/mailman/listinfo/shorewall-users > > > Support: shorewall.net/support.htm > > > FAQ: shorewall.net/FAQ.htm > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: shorewall.net/support.htm > > FAQ: shorewall.net/FAQ.htm > > > > > > ------------------------------------------------------------------------ > > > > [H[2JShorewall-2.0.8 Status at blaster - Sat Sep 25 23:12:42 CEST 2004 > > > > Counters reset Sat Sep 25 23:11:21 CEST 2004 > > > > Chain INPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > 128 13152 ppp0_in all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 > > 2 351 br0_in all -- br0 * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=INPUT:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 > > 43 14875 br0_fwd all -- br0 * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=FORWARD:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > 0 0 ACCEPT udp -- * br0 0.0.0.0/0 > 0.0.0.0/0 udp dpts:67:68 > > 194 28020 fw2net all -- * ppp0 0.0.0.0/0 > 0.0.0.0/0 > > 1 90 fw2loc all -- * br0 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=OUTPUT:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain AllowSSH (3 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 > > > > Chain Drop (1 references) > > pkts bytes target prot opt in out source > destination > > 3 144 RejectAuth all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 dropBcast all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 dropInvalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 DropSMB all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropUPnP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropNotSyn all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropDNSrep all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain DropDNSrep (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 > > > > Chain DropSMB (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:135 > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:137:139 > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:445 > > 0 0 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:135 > > 0 0 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:139 > > 3 144 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:445 > > > > Chain DropUPnP (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:1900 > > > > Chain Reject (4 references) > > pkts bytes target prot opt in out source > destination > > 0 0 RejectAuth all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropBcast all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropInvalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 RejectSMB all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropUPnP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 dropNotSyn all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 DropDNSrep all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain RejectAuth (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:113 > > > > Chain RejectSMB (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 reject udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:135 > > 0 0 reject udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:137:139 > > 0 0 reject udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:445 > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:135 > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:139 > > 0 0 reject tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:445 > > > > Chain all2all (0 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 Reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=all2all:1 > a=REJECT '' queue_threshold 1 > > 0 0 reject all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain br0_fwd (1 references) > > pkts bytes target prot opt in out source > destination > > 5 495 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 5 240 loc2net all -- * ppp0 0.0.0.0/0 > 0.0.0.0/0 > > 38 14635 ACCEPT all -- * br0 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain br0_in (1 references) > > pkts bytes target prot opt in out source > destination > > 2 351 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:67:68 > > 2 351 loc2fw all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain dropBcast (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = broadcast > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = multicast > > > > Chain dropInvalid (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > > > Chain dropNotSyn (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp flags:!0x16/0x02 > > > > Chain dynamic (4 references) > > pkts bytes target prot opt in out source > destination > > > > Chain fw2loc (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 1 90 AllowSSH all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 1 90 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain fw2net (1 references) > > pkts bytes target prot opt in out source > destination > > 194 28020 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 213.54.197.136 udp spt:7777 dpt:7777 > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain icmpdef (0 references) > > pkts bytes target prot opt in out source > destination > > > > Chain loc2fw (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 2 351 AllowSSH all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 2 351 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain loc2net (1 references) > > pkts bytes target prot opt in out source > destination > > 5 240 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain net2all (2 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 3 144 Drop all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=net2all:1 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain net2fw (1 references) > > pkts bytes target prot opt in out source > destination > > 125 13008 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT udp -- * * 213.54.197.136 > 0.0.0.0/0 udp spt:7777 dpt:7777 > > 3 144 AllowSSH all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 3 144 net2all all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain ppp0_fwd (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 0 0 net2all all -- * br0 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain ppp0_in (1 references) > > pkts bytes target prot opt in out source > destination > > 3 144 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID,NEW > > 128 13152 net2fw all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain reject (11 references) > > pkts bytes target prot opt in out source > destination > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = broadcast > > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = multicast > > 0 0 DROP all -- * * 192.168.11.255 > 0.0.0.0/0 > > 0 0 DROP all -- * * 255.255.255.255 > 0.0.0.0/0 > > 0 0 DROP all -- * * 224.0.0.0/4 > 0.0.0.0/0 > > 0 0 REJECT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with tcp-reset > > 0 0 REJECT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-host-unreachable > > 0 0 REJECT all -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-host-prohibited > > > > Chain shorewall (0 references) > > pkts bytes target prot opt in out source > destination > > > > Chain smurfs (0 references) > > pkts bytes target prot opt in out source > destination > > 0 0 ULOG all -- * * 192.168.11.255 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:1 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 192.168.11.255 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 255.255.255.255 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:2 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 255.255.255.255 > 0.0.0.0/0 > > 0 0 ULOG all -- * * 224.0.0.0/4 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:3 > a=DROP '' queue_threshold 1 > > 0 0 DROP all -- * * 224.0.0.0/4 > 0.0.0.0/0 > > > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=67.180.168.30 > DST=212.202.210.90 LEN=404 TOS=00 PREC=0x00 TTL=113 ID=64773 CE > PROTO=UDP SPT=4230 DPT=1434 LEN=384 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31714 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31715 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31716 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31717 DF PROTO=TCP > SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 > DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=41 ID=28871 DF PROTO=TCP > SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 > DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28873 DF PROTO=TCP > SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 > DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28874 DF PROTO=TCP > SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61896 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61897 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61898 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61899 CE DF > PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57824 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57825 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57826 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57827 CE DF > PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21140 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21141 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21142 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 > DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21143 DF PROTO=TCP > SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 > > > > NAT Table > > > > Chain PREROUTING (policy ACCEPT 287K packets, 17M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain POSTROUTING (policy ACCEPT 115K packets, 9065K bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain OUTPUT (policy ACCEPT 105K packets, 7230K bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain ppp0_masq (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 MASQUERADE all -- * * 192.168.11.0/24 > 0.0.0.0/0 > > > > Mangle Table > > > > Chain PREROUTING (policy ACCEPT 2612K packets, 1089M bytes) > > pkts bytes target prot opt in out source > destination > > 174 28299 pretos all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain INPUT (policy ACCEPT 2471K packets, 991M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain FORWARD (policy ACCEPT 161K packets, 101M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain OUTPUT (policy ACCEPT 2546K packets, 995M bytes) > > pkts bytes target prot opt in out source > destination > > 198 28282 outtos all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > > > Chain POSTROUTING (policy ACCEPT 2709K packets, 1096M bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain outtos (1 references) > > pkts bytes target prot opt in out source > destination > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 TOS set 0x10 > > 133 8056 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:22 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:20 TOS set 0x08 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:20 TOS set 0x08 > > > > Chain pretos (1 references) > > pkts bytes target prot opt in out source > destination > > 101 9240 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:22 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:21 TOS set 0x10 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:20 TOS set 0x08 > > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:20 TOS set 0x08 > > > > tcp 6 431591 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 > sport=33029 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 > dport=33029 [ASSURED] use=1 > > tcp 6 16 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3196 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3196 [ASSURED] use=1 > > tcp 6 264747 ESTABLISHED src=192.168.11.11 dst=192.168.11.62 > sport=139 dport=1032 [UNREPLIED] src=192.168.11.62 dst=192.168.11.11 > sport=1032 dport=139 use=1 > > tcp 6 9 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3194 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3194 [ASSURED] use=1 > > udp 17 178 src=212.202.210.90 dst=213.54.197.136 sport=7777 > dport=7777 src=213.54.197.136 dst=212.202.210.90 sport=7777 dport=7777 > [ASSURED] use=1 > > udp 17 23 src=192.168.11.11 dst=192.168.11.1 sport=32868 > dport=53 src=192.168.11.1 dst=192.168.11.11 sport=53 dport=32868 > [ASSURED] use=1 > > udp 17 91 src=192.168.11.1 dst=192.168.11.1 sport=1345 dport=53 > src=192.168.11.1 dst=192.168.11.1 sport=53 dport=1345 [ASSURED] use=1 > > tcp 6 30 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3200 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3200 [ASSURED] use=1 > > tcp 6 20 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3197 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3197 [ASSURED] use=1 > > tcp 6 431998 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 > sport=34561 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 > dport=34561 [ASSURED] use=1 > > unknown 2 195 src=192.168.11.150 dst=224.0.0.22 [UNREPLIED] > src=224.0.0.22 dst=192.168.11.150 use=1 > > tcp 6 431983 ESTABLISHED src=192.168.11.150 dst=192.168.11.11 > sport=3305 dport=139 src=192.168.11.11 dst=192.168.11.150 sport=139 > dport=3305 [ASSURED] use=1 > > tcp 6 54 SYN_RECV src=192.168.1.30 dst=192.168.11.11 sport=3306 > dport=139 src=192.168.11.11 dst=192.168.1.30 sport=139 dport=3306 use=1 > > tcp 6 23 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 > sport=3198 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 > dport=3198 [ASSURED] use=1 > > > > IP Configuration > > > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > valid_lft forever preferred_lft forever > > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast > qlen 1000 > > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff > > inet6 fe80::201:2ff:fe10:773a/64 scope link > > valid_lft forever preferred_lft forever > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:50:ba:c9:be:76 brd ff:ff:ff:ff:ff:ff > > inet6 fe80::250:baff:fec9:be76/64 scope link > > valid_lft forever preferred_lft forever > > 4: sit0: <NOARP> mtu 1480 qdisc noop > > link/sit 0.0.0.0 brd 0.0.0.0 > > 6: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast > qlen 1000 > > link/ether 00:ff:a6:07:65:f7 brd ff:ff:ff:ff:ff:ff > > inet6 fe80::2ff:a6ff:fe07:65f7/64 scope link > > valid_lft forever preferred_lft forever > > 7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue > > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff > > inet 192.168.11.1/24 brd 192.168.11.255 scope global br0 > > inet6 fe80::201:2ff:fe10:773a/64 scope link > > valid_lft forever preferred_lft forever > > 11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast > qlen 3 > > link/ppp > > inet 212.202.210.90 peer 213.148.128.18/32 scope global ppp0 > > > > Routing Rules > > > > 0: from all lookup local > > 32766: from all lookup main > > 32767: from all lookup default > > > > Table local: > > > > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > > local 192.168.11.1 dev br0 proto kernel scope host src 192.168.11.1 > > broadcast 192.168.11.0 dev br0 proto kernel scope link src > 192.168.11.1 > > broadcast 192.168.11.255 dev br0 proto kernel scope link src > 192.168.11.1 > > local 212.202.210.90 dev ppp0 proto kernel scope host src > 212.202.210.90 > > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > > > Table main: > > > > 213.148.128.18 dev ppp0 proto kernel scope link src 212.202.210.90 > > 192.168.11.0/24 dev br0 proto kernel scope link src 192.168.11.1 > > default via 213.148.128.18 dev ppp0 > > > > Table default: > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: shorewall.net/support.htm > > FAQ: shorewall.net/FAQ.htm > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users Support: shorewall.net/support.htm FAQ: shorewall.net/FAQ.htm
Well, while you are using MTU 1500 on your local interface your ppp0 interface will be something like 1472 or less. For a simple test change the MTU size for each interface in the firewall to 1398 (which is a smallest value I was forced to use) and see if it works. If it does you can start using higher values till you find the one most suitable for you. Normally the kernel does a good job detecting MTU sizes but it somehow fails when tunnels are used. I had no time recently to really investigate the issue. Axel Westerhold Technical Lead Congos Inc. Axel@congos-tools.com Tel.: 0049 5732 688040 Florian Didszun wrote:> Hi, > > i restarted my System with disabled shorewall and without any netfilter modules. > > And it doesn´t work. Your assumption was right. When i ssh on the machine and i do > a ps aux, than it freeze. > > I use mtu 1500. HAve you any ideas?? > > cheers > > Florian > > > > -----Ursprüngliche Nachricht----- > Von: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von Axel > Westerhold > Gesendet: Montag, 27. September 2004 19:15 > An: Mailing List for Shorewall Users > Betreff: Re: [Shorewall-users] hopeless - smb over bridgedfirewall > > > I apologize for the SPAM Tag in the Subject. I simply forgot to remove > it and had no time to find out why it actually is set for this kind of > mails. > > Axel Westerhold > Technical Lead > Congos Inc. > Axel@congos-tools.com > Tel.: 0049 5732 688040 > > > > Axel Westerhold wrote: > >>Mmmh, if you SSH and do a ps -aux or a long ls -lah or something >>similar, does it still work or does it freeze too ? >> >>I am asking because I ran into a few MTU size issues lately which always >>resulted in tunnels coming up and most basic stuff like simple SSH or >>telnet working fine but with a bigger amount of data it started freezing >>without any hint in any firewall or VPN log. >> >> >>Axel Westerhold >>Technical Lead >>Congos Inc. >>Axel@congos-tools.com >>Tel.: 0049 5732 688040 >> >> >> >>Florian Didszun wrote: >> > Hi, >> > >> > i?m desperated. >> > >> > I?ve changed a lot and nothing works. I?ve changed in the interfaces file >> > the global device (- br0 options) to a single device to loc br0 options. >> > >> > In the hosts file, i made no settings. >> > >> > rules: >> > AllowSSH net fw >> > AllowSSH loc fw >> > AllowSSH fw loc >> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >> > >> > policy: >> > fw net ACCEPT >> > fw loc ACCEPT >> > loc net ACCEPT >> > loc fw ACCEPT >> > net all DROP ULOG >> > # >> > # THE FOLLOWING POLICY MUST BE LAST >> > # >> > all all REJECT ULOG >> > >> > So what is wrong. I hope anybody can help. >> > >> > Regards >> > >> > Florian >> > >> > >> > -----Ursprungliche Nachricht----- >> > Von: shorewall-users-bounces@lists.shorewall.net >> > [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von >> > Eduardo Ferreira >> > Gesendet: Freitag, 24. September 2004 15:04 >> > An: Mailing List for Shorewall Users >> > Betreff: Re: [Shorewall-users] hopeless - smb over bridged firewall >> > >> > >> > Florian wrote on 24/09/2004 08:47:43: >> > >> > > I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL >>connection >> > > to the Internet (ppp0 - eth1 to the modem) and a bridge to the local >> > > lan. The bridged config i''ve made with bridge.html from the shorewall >> > > site. The Bridge is between local net and a openvpn tap device. This >> > > works. I ccan make tunnels, and a can make a lot of things through the >> > > firewall. I can get a list of shares on a samba server in the net, >>i can >> > > make ftp connection, i can make ssh connections. But when i want to >> > > connect on a samba share (smbclient //IP/share) or when i mount the >> > > share as a network device in windows, and want a listing of all >>files, i >> > > get a timeout. There are no Rejects or Drops or what evere. I >>tested an >> > > read a lot but i don''t find the error. I hope so that anybody has >>aidea >> > > for this problem. >> > > >> > There is something wrong here. Let''s navigate from FORWARD chain on: >> > Chain FORWARD (policy DROP 0 packets, 0 bytes) >> > pkts bytes target prot opt in out source destination >> > 152 21948 br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 >> > >> > packets coming from the bridge enter this chain (br0_fwd): >> > Chain br0_fwd (1 references) >> > pkts bytes target prot opt in out source destination >> > 89 17880 all2all all -- * br0 0.0.0.0/0 0.0.0.0/0 >> > PHYSDEV match --physdev-in eth0 --physdev-out tap0 >> > >> > hummm... a packet coming from br0 to br0 (via eth0 to tap0) goes to >> > all2all chain. that''s not good: >> > Chain all2all (2 references) >> > pkts bytes target prot opt in out source destination >> > 35 5296 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 >> > >> > because they must be tested against chain Reject: >> > Chain Reject (5 references) >> > pkts bytes target prot opt in out source destination >> > 9 2064 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 >> > >> > where they are sent to RejectSMB, where they are silently rejected: >> > Chain RejectSMB (1 references) >> > pkts bytes target prot opt in out source destination >> > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp >> > dpt:135 >> > 8 2004 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp >> > dpts:137:139 >> > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp >> > dpt:445 >> > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp >> > dpt:135 >> > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp >> > dpt:139 >> > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp >> > dpt:445 >> > >> > look up your policy and rules file. something wrong there. >> > >> > hope it helps, >> > >> > > Regards. >> > > >> > > Florian >> > > [attachment "status.txt" deleted by Eduardo Ferreira/ICATU] >> > > _______________________________________________ >> > > Shorewall-users mailing list >> > > Post: Shorewall-users@lists.shorewall.net >> > > Subscribe/Unsubscribe: lists.shorewall. >> > > net/mailman/listinfo/shorewall-users >> > > Support: shorewall.net/support.htm >> > > FAQ: shorewall.net/FAQ.htm >> > _______________________________________________ >> > Shorewall-users mailing list >> > Post: Shorewall-users@lists.shorewall.net >> > Subscribe/Unsubscribe: >> > lists.shorewall.net/mailman/listinfo/shorewall-users >> > Support: shorewall.net/support.htm >> > FAQ: shorewall.net/FAQ.htm >> > >> > >> > ------------------------------------------------------------------------ >> > >> > [H[2JShorewall-2.0.8 Status at blaster - Sat Sep 25 23:12:42 CEST 2004 >> > >> > Counters reset Sat Sep 25 23:11:21 CEST 2004 >> > >> > Chain INPUT (policy DROP 0 packets, 0 bytes) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ACCEPT all -- lo * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 DROP !icmp -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID >> > 128 13152 ppp0_in all -- ppp0 * 0.0.0.0/0 >>0.0.0.0/0 >> > 2 351 br0_in all -- br0 * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 Reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 ULOG all -- * * 0.0.0.0/0 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=INPUT:1 >>a=REJECT '' queue_threshold 1 >> > 0 0 reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain FORWARD (policy DROP 0 packets, 0 bytes) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP !icmp -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID >> > 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 >>0.0.0.0/0 >> > 43 14875 br0_fwd all -- br0 * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 Reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 ULOG all -- * * 0.0.0.0/0 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=FORWARD:1 >>a=REJECT '' queue_threshold 1 >> > 0 0 reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain OUTPUT (policy DROP 0 packets, 0 bytes) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ACCEPT all -- * lo 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 DROP !icmp -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID >> > 0 0 ACCEPT udp -- * br0 0.0.0.0/0 >>0.0.0.0/0 udp dpts:67:68 >> > 194 28020 fw2net all -- * ppp0 0.0.0.0/0 >>0.0.0.0/0 >> > 1 90 fw2loc all -- * br0 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 Reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 ULOG all -- * * 0.0.0.0/0 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=OUTPUT:1 >>a=REJECT '' queue_threshold 1 >> > 0 0 reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain AllowSSH (3 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:22 >> > >> > Chain Drop (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 3 144 RejectAuth all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 3 144 dropBcast all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 3 144 dropInvalid all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 3 144 DropSMB all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 DropUPnP all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 dropNotSyn all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 DropDNSrep all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain DropDNSrep (2 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp spt:53 >> > >> > Chain DropSMB (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpt:135 >> > 0 0 DROP udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpts:137:139 >> > 0 0 DROP udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpt:445 >> > 0 0 DROP tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:135 >> > 0 0 DROP tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:139 >> > 3 144 DROP tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:445 >> > >> > Chain DropUPnP (2 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpt:1900 >> > >> > Chain Reject (4 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 RejectAuth all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 dropBcast all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 dropInvalid all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 RejectSMB all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 DropUPnP all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 dropNotSyn all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 DropDNSrep all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain RejectAuth (2 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 reject tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:113 >> > >> > Chain RejectSMB (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 reject udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpt:135 >> > 0 0 reject udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpts:137:139 >> > 0 0 reject udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpt:445 >> > 0 0 reject tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:135 >> > 0 0 reject tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:139 >> > 0 0 reject tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:445 >> > >> > Chain all2all (0 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 state RELATED,ESTABLISHED >> > 0 0 Reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 ULOG all -- * * 0.0.0.0/0 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=all2all:1 >>a=REJECT '' queue_threshold 1 >> > 0 0 reject all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain br0_fwd (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 5 495 dynamic all -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID,NEW >> > 5 240 loc2net all -- * ppp0 0.0.0.0/0 >>0.0.0.0/0 >> > 38 14635 ACCEPT all -- * br0 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain br0_in (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 2 351 dynamic all -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID,NEW >> > 0 0 ACCEPT udp -- * * 0.0.0.0/0 >>0.0.0.0/0 udp dpts:67:68 >> > 2 351 loc2fw all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain dropBcast (2 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP all -- * * 0.0.0.0/0 >>0.0.0.0/0 PKTTYPE = broadcast >> > 0 0 DROP all -- * * 0.0.0.0/0 >>0.0.0.0/0 PKTTYPE = multicast >> > >> > Chain dropInvalid (2 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP all -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID >> > >> > Chain dropNotSyn (2 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp flags:!0x16/0x02 >> > >> > Chain dynamic (4 references) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain fw2loc (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 state RELATED,ESTABLISHED >> > 1 90 AllowSSH all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 1 90 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain fw2net (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 194 28020 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 state RELATED,ESTABLISHED >> > 0 0 ACCEPT udp -- * * 0.0.0.0/0 >>213.54.197.136 udp spt:7777 dpt:7777 >> > 0 0 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain icmpdef (0 references) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain loc2fw (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 state RELATED,ESTABLISHED >> > 2 351 AllowSSH all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 2 351 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain loc2net (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 5 240 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 state RELATED,ESTABLISHED >> > 0 0 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain net2all (2 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 state RELATED,ESTABLISHED >> > 3 144 Drop all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 0 0 ULOG all -- * * 0.0.0.0/0 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=net2all:1 >>a=DROP '' queue_threshold 1 >> > 0 0 DROP all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain net2fw (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 125 13008 ACCEPT all -- * * 0.0.0.0/0 >>0.0.0.0/0 state RELATED,ESTABLISHED >> > 0 0 ACCEPT udp -- * * 213.54.197.136 >>0.0.0.0/0 udp spt:7777 dpt:7777 >> > 3 144 AllowSSH all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > 3 144 net2all all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain ppp0_fwd (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 dynamic all -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID,NEW >> > 0 0 net2all all -- * br0 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain ppp0_in (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 3 144 dynamic all -- * * 0.0.0.0/0 >>0.0.0.0/0 state INVALID,NEW >> > 128 13152 net2fw all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain reject (11 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 DROP all -- * * 0.0.0.0/0 >>0.0.0.0/0 PKTTYPE = broadcast >> > 0 0 DROP all -- * * 0.0.0.0/0 >>0.0.0.0/0 PKTTYPE = multicast >> > 0 0 DROP all -- * * 192.168.11.255 >>0.0.0.0/0 >> > 0 0 DROP all -- * * 255.255.255.255 >>0.0.0.0/0 >> > 0 0 DROP all -- * * 224.0.0.0/4 >>0.0.0.0/0 >> > 0 0 REJECT tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 reject-with tcp-reset >> > 0 0 REJECT udp -- * * 0.0.0.0/0 >>0.0.0.0/0 reject-with icmp-port-unreachable >> > 0 0 REJECT icmp -- * * 0.0.0.0/0 >>0.0.0.0/0 reject-with icmp-host-unreachable >> > 0 0 REJECT all -- * * 0.0.0.0/0 >>0.0.0.0/0 reject-with icmp-host-prohibited >> > >> > Chain shorewall (0 references) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain smurfs (0 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ULOG all -- * * 192.168.11.255 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:1 >>a=DROP '' queue_threshold 1 >> > 0 0 DROP all -- * * 192.168.11.255 >>0.0.0.0/0 >> > 0 0 ULOG all -- * * 255.255.255.255 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:2 >>a=DROP '' queue_threshold 1 >> > 0 0 DROP all -- * * 255.255.255.255 >>0.0.0.0/0 >> > 0 0 ULOG all -- * * 224.0.0.0/4 >>0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:3 >>a=DROP '' queue_threshold 1 >> > 0 0 DROP all -- * * 224.0.0.0/4 >>0.0.0.0/0 >> > >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=67.180.168.30 >>DST=212.202.210.90 LEN=404 TOS=00 PREC=0x00 TTL=113 ID=64773 CE >>PROTO=UDP SPT=4230 DPT=1434 LEN=384 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31714 DF PROTO=TCP >>SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31715 DF PROTO=TCP >>SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31716 DF PROTO=TCP >>SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31717 DF PROTO=TCP >>SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 >>DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=41 ID=28871 DF PROTO=TCP >>SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 >>DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28873 DF PROTO=TCP >>SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=192.108.116.47 >>DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28874 DF PROTO=TCP >>SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61896 CE DF >>PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61897 CE DF >>PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61898 CE DF >>PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61899 CE DF >>PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57824 CE DF >>PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57825 CE DF >>PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57826 CE DF >>PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57827 CE DF >>PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21140 DF PROTO=TCP >>SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21141 DF PROTO=TCP >>SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21142 DF PROTO=TCP >>SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 >> > Jan 1 01:00:00 net2all:1 a=DROP IN=ppp0 OUT= SRC=80.138.163.144 >>DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21143 DF PROTO=TCP >>SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0 >> > >> > NAT Table >> > >> > Chain PREROUTING (policy ACCEPT 287K packets, 17M bytes) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain POSTROUTING (policy ACCEPT 115K packets, 9065K bytes) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain OUTPUT (policy ACCEPT 105K packets, 7230K bytes) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain ppp0_masq (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 MASQUERADE all -- * * 192.168.11.0/24 >>0.0.0.0/0 >> > >> > Mangle Table >> > >> > Chain PREROUTING (policy ACCEPT 2612K packets, 1089M bytes) >> > pkts bytes target prot opt in out source >>destination >> > 174 28299 pretos all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain INPUT (policy ACCEPT 2471K packets, 991M bytes) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain FORWARD (policy ACCEPT 161K packets, 101M bytes) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain OUTPUT (policy ACCEPT 2546K packets, 995M bytes) >> > pkts bytes target prot opt in out source >>destination >> > 198 28282 outtos all -- * * 0.0.0.0/0 >>0.0.0.0/0 >> > >> > Chain POSTROUTING (policy ACCEPT 2709K packets, 1096M bytes) >> > pkts bytes target prot opt in out source >>destination >> > >> > Chain outtos (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:22 TOS set 0x10 >> > 133 8056 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp spt:22 TOS set 0x10 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:21 TOS set 0x10 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp spt:21 TOS set 0x10 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp spt:20 TOS set 0x08 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:20 TOS set 0x08 >> > >> > Chain pretos (1 references) >> > pkts bytes target prot opt in out source >>destination >> > 101 9240 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:22 TOS set 0x10 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp spt:22 TOS set 0x10 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:21 TOS set 0x10 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp spt:21 TOS set 0x10 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp spt:20 TOS set 0x08 >> > 0 0 TOS tcp -- * * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:20 TOS set 0x08 >> > >> > tcp 6 431591 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 >>sport=33029 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 >>dport=33029 [ASSURED] use=1 >> > tcp 6 16 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 >>sport=3196 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 >>dport=3196 [ASSURED] use=1 >> > tcp 6 264747 ESTABLISHED src=192.168.11.11 dst=192.168.11.62 >>sport=139 dport=1032 [UNREPLIED] src=192.168.11.62 dst=192.168.11.11 >>sport=1032 dport=139 use=1 >> > tcp 6 9 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 >>sport=3194 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 >>dport=3194 [ASSURED] use=1 >> > udp 17 178 src=212.202.210.90 dst=213.54.197.136 sport=7777 >>dport=7777 src=213.54.197.136 dst=212.202.210.90 sport=7777 dport=7777 >>[ASSURED] use=1 >> > udp 17 23 src=192.168.11.11 dst=192.168.11.1 sport=32868 >>dport=53 src=192.168.11.1 dst=192.168.11.11 sport=53 dport=32868 >>[ASSURED] use=1 >> > udp 17 91 src=192.168.11.1 dst=192.168.11.1 sport=1345 dport=53 >>src=192.168.11.1 dst=192.168.11.1 sport=53 dport=1345 [ASSURED] use=1 >> > tcp 6 30 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 >>sport=3200 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 >>dport=3200 [ASSURED] use=1 >> > tcp 6 20 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 >>sport=3197 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 >>dport=3197 [ASSURED] use=1 >> > tcp 6 431998 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 >>sport=34561 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 >>dport=34561 [ASSURED] use=1 >> > unknown 2 195 src=192.168.11.150 dst=224.0.0.22 [UNREPLIED] >>src=224.0.0.22 dst=192.168.11.150 use=1 >> > tcp 6 431983 ESTABLISHED src=192.168.11.150 dst=192.168.11.11 >>sport=3305 dport=139 src=192.168.11.11 dst=192.168.11.150 sport=139 >>dport=3305 [ASSURED] use=1 >> > tcp 6 54 SYN_RECV src=192.168.1.30 dst=192.168.11.11 sport=3306 >>dport=139 src=192.168.11.11 dst=192.168.1.30 sport=139 dport=3306 use=1 >> > tcp 6 23 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 >>sport=3198 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 >>dport=3198 [ASSURED] use=1 >> > >> > IP Configuration >> > >> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue >> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> > inet 127.0.0.1/8 scope host lo >> > inet6 ::1/128 scope host >> > valid_lft forever preferred_lft forever >> > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast >>qlen 1000 >> > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff >> > inet6 fe80::201:2ff:fe10:773a/64 scope link >> > valid_lft forever preferred_lft forever >> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 >> > link/ether 00:50:ba:c9:be:76 brd ff:ff:ff:ff:ff:ff >> > inet6 fe80::250:baff:fec9:be76/64 scope link >> > valid_lft forever preferred_lft forever >> > 4: sit0: <NOARP> mtu 1480 qdisc noop >> > link/sit 0.0.0.0 brd 0.0.0.0 >> > 6: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast >>qlen 1000 >> > link/ether 00:ff:a6:07:65:f7 brd ff:ff:ff:ff:ff:ff >> > inet6 fe80::2ff:a6ff:fe07:65f7/64 scope link >> > valid_lft forever preferred_lft forever >> > 7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue >> > link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff >> > inet 192.168.11.1/24 brd 192.168.11.255 scope global br0 >> > inet6 fe80::201:2ff:fe10:773a/64 scope link >> > valid_lft forever preferred_lft forever >> > 11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast >>qlen 3 >> > link/ppp >> > inet 212.202.210.90 peer 213.148.128.18/32 scope global ppp0 >> > >> > Routing Rules >> > >> > 0: from all lookup local >> > 32766: from all lookup main >> > 32767: from all lookup default >> > >> > Table local: >> > >> > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 >> > local 192.168.11.1 dev br0 proto kernel scope host src 192.168.11.1 >> > broadcast 192.168.11.0 dev br0 proto kernel scope link src >>192.168.11.1 >> > broadcast 192.168.11.255 dev br0 proto kernel scope link src >>192.168.11.1 >> > local 212.202.210.90 dev ppp0 proto kernel scope host src >>212.202.210.90 >> > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 >> > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 >> > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 >> > >> > Table main: >> > >> > 213.148.128.18 dev ppp0 proto kernel scope link src 212.202.210.90 >> > 192.168.11.0/24 dev br0 proto kernel scope link src 192.168.11.1 >> > default via 213.148.128.18 dev ppp0 >> > >> > Table default: >> > >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Shorewall-users mailing list >> > Post: Shorewall-users@lists.shorewall.net >> > Subscribe/Unsubscribe: >>lists.shorewall.net/mailman/listinfo/shorewall-users >> > Support: shorewall.net/support.htm >> > FAQ: shorewall.net/FAQ.htm >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: shorewall.net/support.htm >>FAQ: shorewall.net/FAQ.htm >> > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: lists.shorewall.net/mailman/listinfo/shorewall-users > Support: shorewall.net/support.htm > FAQ: shorewall.net/FAQ.htm