I''m having a problem with the Shorewall firewall and CUPS printing
interfering with each other. My Linux firewall machine is acting as both
a CUPS server and client for all of my tests.
Shorewall 2.0.13
CUPS 1.1.22-2
Linux kernel 2.6.9
CUPS was working fine to print to my Epson C84 (network connected via a
Netgear PS101 print server using lpd://PS101.IP.address/raw ) until I
installed the Shorewall firewall on the machine running CUPS.
When I installed Shorewall, I opened up port 515 for lpd printing from
the firewall to the local network
ACCEPT fw loc tcp 515 # LPD
However, as soon as I started the Shorewall firewall, I found that I
could no longer print from the firewall machine using CUPS. If I tried
to print while the firewall was up, nothing happened. However, as soon
as I shut down Shorewall, all of the queued print jobs immediately
printed.
Okay, my first thought was that I had to open more ports in the
firewall. So I checked the Shorewall packet reject log to see which
ports I would need to open. Surprisingly, NO PACKETS RELATED TO PRINTING
HAD BEEN REJECTED. It was not a logging problem, because there were
packets occasionally being rejected, but not during the times when I was
trying to print.
Just to make sure, I put a couple lines in my Shorewall policy file to
open ALL ports between fw<->loc , and I still could not print.
loc fw ACCEPT
fw loc ACCEPT
So, with the exception of printing with CUPS, the Shorewall firewall
is working with all of my other programs. And with the exceptions of
Shorewall, the CUPS printing works with all of my other programs. But I
cannot use CUPS and Shorewall together, since they seem to interfere.
How can I find out the source of the interference? What is the best way
to troubleshoot this?
Here''s some output from the end of the CUPS log from when I try a print
job:
D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT tossing right 0
I [28/Dec/2004:12:05:40 -0500] [Job 9] Finished page 1...
d [28/Dec/2004:12:05:40 -0500] PID 7522 exited with no errors.
D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915
D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060
I [28/Dec/2004:12:05:40 -0500] [Job 9] Ready to print.
I [28/Dec/2004:12:05:40 -0500] [Job 9] Attempting to connect to host
192.168.0.1
9 for printer raw
d [28/Dec/2004:12:05:40 -0500] PID 7523 exited with no errors.
d [28/Dec/2004:12:05:41 -0500] select_timeout: 11 seconds to process
active jobs
And here are some packets from the end of the Shorewall log just AFTER I
tried to print (above). Note that the rejected packets occurred before
the print job, and none during or after.
Dec 28 11:54:38 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1
DST=255.255.255.255 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP
SPT=50729 DPT=53 LEN=42
Dec 28 11:56:15 net2all:DROP:IN=eth0 OUT= SRC=212.194.238.252
DST=24.225.153.172 LEN=907 TOS=0x00 PREC=0x00 TTL=112 ID=45094
PROTO=UDP SPT=24846 DPT=1026 LEN=887
Dec 28 11:56:16 net2all:DROP:IN=eth0 OUT= SRC=212.83.228.10
DST=24.225.153.172 LEN=907 TOS=0x00 PREC=0x00 TTL=113 ID=46145
PROTO=UDP SPT=17677 DPT=1027 LEN=887 [END, as of 12:07:48]
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:cc:52:ed:49 brd ff:ff:ff:ff:ff:ff
inet 24.225.153.172/20 brd 255.255.255.255 scope global eth0
inet6 fe80::2a0:ccff:fe52:ed49/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:07:e9:17:84:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
inet6 fe80::207:e9ff:fe17:8486/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
ip route show
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
24.225.144.0/20 dev eth0 proto kernel scope link src 24.225.153.172
default via 24.225.144.1 dev eth0
--
Erik Reuter http://www.erikreuter.net/
On Saturday 08 January 2005 03:17 pm, Erik Reuter wrote:> I''m having a problem with the Shorewall firewall and CUPS printing > interfering with each other. My Linux firewall machine is acting as both > a CUPS server and client for all of my tests. > > Shorewall 2.0.13 > CUPS 1.1.22-2 > Linux kernel 2.6.9 > > CUPS was working fine to print to my Epson C84 (network connected via a > Netgear PS101 print server using lpd://PS101.IP.address/raw ) until I > installed the Shorewall firewall on the machine running CUPS. > > When I installed Shorewall, I opened up port 515 for lpd printing from > the firewall to the local network > > ACCEPT fw loc tcp 515 # LPDI could be wrong, but I thought cups ran on 631 ACCEPT net fw tcp 631 ACCEPT net fw udp 631 # Above only to allow printing from remote sites to local printers ACCEPT loc fw tcp 631 ACCEPT loc fw udp 631 -- John Andersen - NORCOM http://www.norcomsoftware.com/
On Sat, Jan 08, 2005 at 04:25:55PM -0900, John Andersen wrote:> I could be wrong, but I thought cups ran on 631That is the port for the administration interface. But it doesn''t matter, as I said, I later opened all ports between loc<->fw and it still didn''t help. Also, no rejected packets, 631 or otherwise, were logged. -- Erik Reuter http://www.erikreuter.net/
Ok. Dec 28 11:54:38 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=50729 DPT=53 LEN=42 Now what this has to do with printing is not clear, but you do indicate that these log messages come from an attempt at printing, correct? Notice two things. The rfc1918 address, that is coming from somewhere, and is going to the broadcast address, in a network of public ip addresses. Shorewall of course, as the log indicates, drops this rfc1918 traffic, and also, I imagine that shorewall controls unneeded traffic to broadcast addresses, such as those that are used in various DOS exploits, etc. So, here we see shorewall having an affect on your environment that was working before shorewall is installed. What this means to me is that your "working" network is really broken, and only works due to the unrestricted (no shorewall) environment you have running. What you need to do is fix your network first. I am not sure why a dns request would ever be sent to the broadcast address (comments?) but this looks to be the case. If you want more help here, I would suggest posting a full support request as detailed in http://www.shorewall.net/support.htm . Here is a thing I have noticed, when the question is not relevant to shorewall (ie, your network is broken to start with) more experienced users do not bother to reply at all. Again, submit a complete support request, and we may be able to sort this out for you. Just read your latest email. The open policy testing idea still does not release shorewall''s control of broadcasting, etc. So, please submit a full report, so that your network might be fixed. Alex Martin http://www.rettc.com Erik Reuter wrote:>I''m having a problem with the Shorewall firewall and CUPS printing >interfering with each other. My Linux firewall machine is acting as both >a CUPS server and client for all of my tests. > > Shorewall 2.0.13 > CUPS 1.1.22-2 > Linux kernel 2.6.9 > >CUPS was working fine to print to my Epson C84 (network connected via a >Netgear PS101 print server using lpd://PS101.IP.address/raw ) until I >installed the Shorewall firewall on the machine running CUPS. > >When I installed Shorewall, I opened up port 515 for lpd printing from >the firewall to the local network > > ACCEPT fw loc tcp 515 # LPD > >However, as soon as I started the Shorewall firewall, I found that I >could no longer print from the firewall machine using CUPS. If I tried >to print while the firewall was up, nothing happened. However, as soon >as I shut down Shorewall, all of the queued print jobs immediately >printed. > >Okay, my first thought was that I had to open more ports in the >firewall. So I checked the Shorewall packet reject log to see which >ports I would need to open. Surprisingly, NO PACKETS RELATED TO PRINTING >HAD BEEN REJECTED. It was not a logging problem, because there were >packets occasionally being rejected, but not during the times when I was >trying to print. > >Just to make sure, I put a couple lines in my Shorewall policy file to >open ALL ports between fw<->loc , and I still could not print. > > loc fw ACCEPT > fw loc ACCEPT > >So, with the exception of printing with CUPS, the Shorewall firewall >is working with all of my other programs. And with the exceptions of >Shorewall, the CUPS printing works with all of my other programs. But I >cannot use CUPS and Shorewall together, since they seem to interfere. > >How can I find out the source of the interference? What is the best way >to troubleshoot this? > >Here''s some output from the end of the CUPS log from when I try a print >job: > > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT tossing right 0 > I [28/Dec/2004:12:05:40 -0500] [Job 9] Finished page 1... > d [28/Dec/2004:12:05:40 -0500] PID 7522 exited with no errors. > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915 > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060 > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060 > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915 > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_height 3915 > D [28/Dec/2004:12:05:40 -0500] [Job 9] GIMP-PRINT: Image_width 3060 > I [28/Dec/2004:12:05:40 -0500] [Job 9] Ready to print. > I [28/Dec/2004:12:05:40 -0500] [Job 9] Attempting to connect to host > 192.168.0.1 > 9 for printer raw > d [28/Dec/2004:12:05:40 -0500] PID 7523 exited with no errors. > d [28/Dec/2004:12:05:41 -0500] select_timeout: 11 seconds to process > active jobs > >And here are some packets from the end of the Shorewall log just AFTER I >tried to print (above). Note that the rejected packets occurred before >the print job, and none during or after. > > Dec 28 11:54:38 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 > DST=255.255.255.255 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP > SPT=50729 DPT=53 LEN=42 > > Dec 28 11:56:15 net2all:DROP:IN=eth0 OUT= SRC=212.194.238.252 > DST=24.225.153.172 LEN=907 TOS=0x00 PREC=0x00 TTL=112 ID=45094 > PROTO=UDP SPT=24846 DPT=1026 LEN=887 > > Dec 28 11:56:16 net2all:DROP:IN=eth0 OUT= SRC=212.83.228.10 > DST=24.225.153.172 LEN=907 TOS=0x00 PREC=0x00 TTL=113 ID=46145 > PROTO=UDP SPT=17677 DPT=1027 LEN=887 [END, as of 12:07:48] > >ip addr show > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:a0:cc:52:ed:49 brd ff:ff:ff:ff:ff:ff > inet 24.225.153.172/20 brd 255.255.255.255 scope global eth0 > inet6 fe80::2a0:ccff:fe52:ed49/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:07:e9:17:84:86 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 > inet6 fe80::207:e9ff:fe17:8486/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > >ip route show > > 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 > 24.225.144.0/20 dev eth0 proto kernel scope link src 24.225.153.172 > default via 24.225.144.1 dev eth0 > > > >
On Saturday 08 January 2005 04:29 pm, Erik Reuter wrote:> On Sat, Jan 08, 2005 at 04:25:55PM -0900, John Andersen wrote: > > I could be wrong, but I thought cups ran on 631 > > That is the port for the administration interface.Not ONLY admin, Erik, also print traffic. I''ve been running this package for years, and that is the ONLY port I open from the outside to allow such traffic. Its the standard port for IPP traffic. Even Microsofts IPP drivers use 631.> But it doesn''t matter, as I said, I later opened all ports between > loc<->fw and it still didn''t help. > > Also, no rejected packets, 631 or otherwise, were logged.Does netstat show something listening on 515? What about 631? Don''t forget to set cupsd.conf to allow traffic from other than local machines. I expect you''ve done this already or it would never have worked. The port that CUPS talks to the NETGEAR print server on also has to be allowed if your policy is to disallow fw to loc. In my cups printers.conf the netgear printers have something like this: DeviceURI socket://192.168.2.241:4010 But that port is never available from the outside. -- John Andersen - NORCOM http://www.norcomsoftware.com/
Erik Reuter wrote:> On Sat, Jan 08, 2005 at 04:25:55PM -0900, John Andersen wrote: > >>I could be wrong, but I thought cups ran on 631 > > > That is the port for the administration interface. > > But it doesn''t matter, as I said, I later opened all ports between > loc<->fw and it still didn''t help. > > Also, no rejected packets, 631 or otherwise, were logged. >no, that is the port for cups. lpd is 515. cups does everything over 631. -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
On Sat, Jan 08, 2005 at 06:42:55PM -0700, Alex Martin wrote:> > Now what this has to do with printing is not clear, but you do indicate > that these log messages come from an attempt at printing, correct?No, not correct. Those log messages came BEFORE I tried to print. I just included them to show that SOME packets were getting logged (otherwise you might wonder if my logging was working). As I said, no rejected packets were logged during or after the print job.> Notice two things. The rfc1918 address, that is coming from somewhere, > and is going to the broadcast address, in a network of public ip > addresses.I think that is a DHCP broadcast from my cable modem. It comes every 5 minutes or so.> What this means to me is that your "working" network is really broken,I don''t think so. It works quite well in every other way except CUPS printing. -- Erik Reuter http://www.erikreuter.net/
On Sat, Jan 08, 2005 at 05:47:10PM -0800, Jack Coates wrote:> no, that is the port for cups. lpd is 515. cups does everything over > 631.Since I am printing to the printserver using the lpd protocol from the firewall (i.e., the CUPS server and client are the same machine), shouldn''t it use port 515 on the local network? (the firewall is 192.168.0.1 and the prinserver is 192.168.0.19) Anyway, as I said, even when I put in my policy file lines to allow all packets fw <-> loc, it still didn''t help. -- Erik Reuter http://www.erikreuter.net/
On Saturday 08 January 2005 05:15 pm, Erik Reuter wrote:> On Sat, Jan 08, 2005 at 05:47:10PM -0800, Jack Coates wrote: > > no, that is the port for cups. lpd is 515. cups does everything over > > 631. > > Since I am printing to the printserver using the lpd protocol from > the firewall (i.e., the CUPS server and client are the same machine), > shouldn''t it use port 515 on the local network? (the firewall is > 192.168.0.1 and the prinserver is 192.168.0.19)Not usually, depending on the model of Netgear you have. Cups has a backend to talk to someone elses lpd (in another machine), but once you put in cups, you seldom have lpd at all in your local machine. (There is a cusp-lpd that you can run thru inetd/xinetd to listen for traffic from other lpds in other machines. Most people don''t use it, its not normal. man cup-lpd) Normally cups accepts connections from clients on 631, and talks to printers via a variety of means, (direct connect to a parallel port, jetdirect (9010) netgear (4010), smb clients, etc. But lpd is normally out of the picture once you install cups.> Anyway, as I said, even when I put in my policy file lines to allow all > packets fw <-> loc, it still didn''t help.Run netstat -anp and see what ports are being listened to... Perhaps cups died on you or something. -- John Andersen - NORCOM http://www.norcomsoftware.com/
On Sat, Jan 08, 2005 at 05:29:00PM -0900, John Andersen wrote:> But lpd is normally out of the picture once you install cups.But the URL I set in cups to print to the Netgear printserver is lpd://192.168.0.19/raw Are you saying that won''t use the lpd protocol on port 515?> Run netstat -anp and see what ports are being listened to... > Perhaps cups died on you or something.I don''t think CUPS died. As I said, as soon as I stop the shorewall, all of my CUPS jobs that were queued up begin printing. But here is netstat -anp that you asked for: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN - tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 24.225.153.172:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN - tcp 0 1 192.168.0.1:1022 192.168.0.19:515 SYN_SENT - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::25 :::* LISTEN - tcp6 0 0 ::ffff:192.168.0.1:22 ::ffff:192.168.0.2:1361 ESTABLISHED- tcp6 0 0 ::ffff:192.168.0.1:22 ::ffff:192.168.0.2:1360 ESTABLISHED- tcp6 0 0 ::ffff:192.168.0.1:22 ::ffff:192.168.0.2:1303 ESTABLISHED- tcp6 0 180 ::ffff:192.168.0.1:22 ::ffff:192.168.0.6:4397 ESTABLISHED- tcp6 0 0 ::ffff:192.168.0.1:22 ::ffff:192.168.0.6:4396 ESTABLISHED- udp 0 0 0.0.0.0:32770 0.0.0.0:* - udp 0 0 192.168.0.1:53 0.0.0.0:* - udp 0 0 24.225.153.172:53 0.0.0.0:* - udp 0 0 127.0.0.1:53 0.0.0.0:* - udp 0 0 0.0.0.0:68 0.0.0.0:* - udp 0 0 0.0.0.0:631 0.0.0.0:* - udp 0 0 192.168.0.1:123 0.0.0.0:* - udp 0 0 24.225.153.172:123 0.0.0.0:* - udp 0 0 127.0.0.1:123 0.0.0.0:* - udp 0 0 0.0.0.0:123 0.0.0.0:* - udp6 0 0 :::32769 :::* - udp6 0 0 :::123 :::* - Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 5126947 - private/rewrite unix 2 [ ACC ] STREAM LISTENING 5126951 - private/bounce unix 2 [ ACC ] STREAM LISTENING 5126955 - private/defer unix 2 [ ACC ] STREAM LISTENING 5126967 - private/smtp unix 2 [ ACC ] STREAM LISTENING 5126979 - private/error unix 2 [ ACC ] STREAM LISTENING 5126983 - private/local unix 2 [ ACC ] STREAM LISTENING 5126987 - private/virtual unix 2 [ ACC ] STREAM LISTENING 5126963 - private/proxymap unix 2 [ ACC ] STREAM LISTENING 5126991 - private/lmtp unix 2 [ ACC ] STREAM LISTENING 5126999 - private/cyrus unix 2 [ ACC ] STREAM LISTENING 5127003 - private/uucp unix 2 [ ACC ] STREAM LISTENING 5127007 - private/ifmail unix 2 [ ACC ] STREAM LISTENING 5127011 - private/bsmtp unix 2 [ ACC ] STREAM LISTENING 5127015 - private/scalemail-backend unix 2 [ ACC ] STREAM LISTENING 5126971 - private/relay unix 2 [ ACC ] STREAM LISTENING 5126995 - private/maildrop unix 2 [ ACC ] STREAM LISTENING 5127019 - private/trace unix 2 [ ACC ] STREAM LISTENING 5127023 - private/verify unix 22 [ ] DGRAM 5180 - /dev/log unix 2 [ ACC ] STREAM LISTENING 5199 - /var/run/ndc unix 2 [ ACC ] STREAM LISTENING 5126940 - public/cleanup unix 2 [ ACC ] STREAM LISTENING 5126959 - public/flush unix 2 [ ACC ] STREAM LISTENING 5126975 - public/showq unix 2 [ ACC ] STREAM LISTENING 1887505 5411/gconfd-2 /tmp/orbit-ereuter/linc-1523-0-16a1b38f432d9 unix 2 [ ACC ] STREAM LISTENING 5379 - /var/run/dovecot/login/default unix 2 [ ] DGRAM 5151082 - unix 2 [ ] DGRAM 5151071 - unix 2 [ ] DGRAM 5145928 - unix 2 [ ] DGRAM 5127030 - unix 3 [ ] STREAM CONNECTED 5127026 - unix 3 [ ] STREAM CONNECTED 5127025 - unix 3 [ ] STREAM CONNECTED 5127022 - unix 3 [ ] STREAM CONNECTED 5127021 - unix 3 [ ] STREAM CONNECTED 5127018 - unix 3 [ ] STREAM CONNECTED 5127017 - unix 3 [ ] STREAM CONNECTED 5127014 - unix 3 [ ] STREAM CONNECTED 5127013 - unix 3 [ ] STREAM CONNECTED 5127010 - unix 3 [ ] STREAM CONNECTED 5127009 - unix 3 [ ] STREAM CONNECTED 5127006 - unix 3 [ ] STREAM CONNECTED 5127005 - unix 3 [ ] STREAM CONNECTED 5127002 - unix 3 [ ] STREAM CONNECTED 5127001 - unix 3 [ ] STREAM CONNECTED 5126998 - unix 3 [ ] STREAM CONNECTED 5126997 - unix 3 [ ] STREAM CONNECTED 5126994 - unix 3 [ ] STREAM CONNECTED 5126993 - unix 3 [ ] STREAM CONNECTED 5126990 - unix 3 [ ] STREAM CONNECTED 5126989 - unix 3 [ ] STREAM CONNECTED 5126986 - unix 3 [ ] STREAM CONNECTED 5126985 - unix 3 [ ] STREAM CONNECTED 5126982 - unix 3 [ ] STREAM CONNECTED 5126981 - unix 3 [ ] STREAM CONNECTED 5126978 - unix 3 [ ] STREAM CONNECTED 5126977 - unix 3 [ ] STREAM CONNECTED 5126974 - unix 3 [ ] STREAM CONNECTED 5126973 - unix 3 [ ] STREAM CONNECTED 5126970 - unix 3 [ ] STREAM CONNECTED 5126969 - unix 3 [ ] STREAM CONNECTED 5126966 - unix 3 [ ] STREAM CONNECTED 5126965 - unix 3 [ ] STREAM CONNECTED 5126962 - unix 3 [ ] STREAM CONNECTED 5126961 - unix 3 [ ] STREAM CONNECTED 5126958 - unix 3 [ ] STREAM CONNECTED 5126957 - unix 3 [ ] STREAM CONNECTED 5126954 - unix 3 [ ] STREAM CONNECTED 5126953 - unix 3 [ ] STREAM CONNECTED 5126950 - unix 3 [ ] STREAM CONNECTED 5126949 - unix 3 [ ] STREAM CONNECTED 5126946 - unix 3 [ ] STREAM CONNECTED 5126945 - unix 3 [ ] STREAM CONNECTED 5126943 - unix 3 [ ] STREAM CONNECTED 5126942 - unix 3 [ ] STREAM CONNECTED 5126939 - unix 3 [ ] STREAM CONNECTED 5126938 - unix 3 [ ] STREAM CONNECTED 5126936 - unix 3 [ ] STREAM CONNECTED 5126935 - unix 2 [ ] DGRAM 5126928 - unix 2 [ ] DGRAM 5018627 - unix 3 [ ] STREAM CONNECTED 5018626 - unix 3 [ ] STREAM CONNECTED 5018625 - unix 2 [ ] DGRAM 5018557 - unix 3 [ ] STREAM CONNECTED 5018556 - unix 3 [ ] STREAM CONNECTED 5018555 - unix 2 [ ] DGRAM 5016817 - unix 3 [ ] STREAM CONNECTED 5016816 - unix 3 [ ] STREAM CONNECTED 5016815 - unix 2 [ ] DGRAM 4009867 - unix 3 [ ] STREAM CONNECTED 4009866 - unix 3 [ ] STREAM CONNECTED 4009865 - unix 2 [ ] DGRAM 4009797 - unix 3 [ ] STREAM CONNECTED 4009796 - unix 3 [ ] STREAM CONNECTED 4009795 - unix 2 [ ] DGRAM 3062727 - unix 3 [ ] STREAM CONNECTED 2523505 - /var/run/dovecot/login/default unix 3 [ ] STREAM CONNECTED 2523504 - unix 2 [ ] DGRAM 2523503 - unix 3 [ ] STREAM CONNECTED 2523502 - unix 3 [ ] STREAM CONNECTED 2523501 - unix 3 [ ] STREAM CONNECTED 2523359 - /var/run/dovecot/login/default unix 3 [ ] STREAM CONNECTED 2523358 - unix 2 [ ] DGRAM 2523357 - unix 3 [ ] STREAM CONNECTED 2523356 - unix 3 [ ] STREAM CONNECTED 2523355 - unix 3 [ ] STREAM CONNECTED 2523241 - /var/run/dovecot/login/default unix 3 [ ] STREAM CONNECTED 2523240 - unix 2 [ ] DGRAM 2523239 - unix 3 [ ] STREAM CONNECTED 2523238 - unix 3 [ ] STREAM CONNECTED 2523237 - unix 2 [ ] DGRAM 1887500 5411/gconfd-2 unix 2 [ ] DGRAM 1464453 - unix 2 [ ] DGRAM 5651 - unix 2 [ ] DGRAM 5398 - unix 3 [ ] STREAM CONNECTED 5382 - unix 3 [ ] STREAM CONNECTED 5381 - unix 2 [ ] DGRAM 5351 - unix 2 [ ] DGRAM 5197 -
On Sat, 2005-01-08 at 21:36 -0500, Erik Reuter wrote:> On Sat, Jan 08, 2005 at 05:29:00PM -0900, John Andersen wrote: > > > But lpd is normally out of the picture once you install cups. > > But the URL I set in cups to print to the Netgear printserver is > lpd://192.168.0.19/raw >Have you confirmed that Shorewall has anything whatsoever to do with your printing problem? Try: - shorewall clear - try printing Does printing work? If it does work then: - shorewall start - try printing - shorewall status > /tmp/trace - post the /tmp/trace file -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, Jan 08, 2005 at 06:59:21PM -0800, Tom Eastep wrote:> Have you confirmed that Shorewall has anything whatsoever to do with > your printing problem? Try: > > - shorewall clear > - try printing > > Does printing work?Yes, already tried that. As I said, as soon as I stop shorewall, all of the print jobs that were queued up begin printing immediately.> If it does work then: > > - shorewall start > - try printing > - shorewall status > /tmp/trace > - post the /tmp/trace fileHere you go: [H[2JShorewall-2.0.13 Status at erikreuter - Sat Jan 8 22:06:55 EST 2005 Counters reset Sat Jan 8 22:06:31 EST 2005 Chain INPUT (policy DROP 6 packets, 2040 bytes) pkts bytes target prot opt in out source destination 138 34786 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 172 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 30 7920 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 1 229 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 138 34786 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 11 720 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 2 120 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain Drop (1 references) pkts bytes target prot opt in out source destination 0 0 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropSMB all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DropDNSrep (2 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain DropSMB (1 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain DropUPnP (2 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 Chain Reject (4 references) pkts bytes target prot opt in out source destination 0 0 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain RejectAuth (2 references) pkts bytes target prot opt in out source destination 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 Chain RejectSMB (1 references) pkts bytes target prot opt in out source destination 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain all2all (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropInvalid (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID Chain dropNotSyn (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 22 7196 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 21 7136 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 1 60 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 5 360 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 9 784 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 1 229 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 1 229 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33464 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 11 720 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (0 references) pkts bytes target prot opt in out source destination Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33464 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 1 229 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logflags (5 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 8 724 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33464 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain norfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12 0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.0.0/16 0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 10.0.0.0/8 Chain reject (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 192.168.0.255 0.0.0.0/0 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain rfc1918 (6 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination Chain smurfs (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 LOG all -- * * 192.168.0.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 192.168.0.255 0.0.0.0/0 0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 Chain tcpflags (4 references) pkts bytes target prot opt in out source destination 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x16/0x02 Jan 8 21:33:58 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=39930 DF PROTO=TCP SPT=4358 DPT=6129 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:33:58 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=39936 DF PROTO=TCP SPT=4816 DPT=3410 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:33:58 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=39937 DF PROTO=TCP SPT=4861 DPT=5554 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:33:58 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=39946 DF PROTO=TCP SPT=2861 DPT=1433 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:33:58 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=39947 DF PROTO=TCP SPT=2888 DPT=5000 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=57453 DPT=53 LEN=51 Jan 8 21:34:01 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=40673 DF PROTO=TCP SPT=4319 DPT=1025 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:01 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=40675 DF PROTO=TCP SPT=4358 DPT=6129 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:01 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=40680 DF PROTO=TCP SPT=4816 DPT=3410 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:01 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=40681 DF PROTO=TCP SPT=4861 DPT=5554 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:01 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=40692 DF PROTO=TCP SPT=2861 DPT=1433 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:01 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=40693 DF PROTO=TCP SPT=2888 DPT=5000 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:07 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42101 DF PROTO=TCP SPT=4861 DPT=5554 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:07 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42102 DF PROTO=TCP SPT=4816 DPT=3410 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:07 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42107 DF PROTO=TCP SPT=4358 DPT=6129 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:07 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42109 DF PROTO=TCP SPT=4319 DPT=1025 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:07 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42152 DF PROTO=TCP SPT=2888 DPT=5000 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:34:07 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42153 DF PROTO=TCP SPT=2861 DPT=1433 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 21:39:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=57004 DPT=53 LEN=51 Jan 8 21:44:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=49188 DPT=53 LEN=51 NAT Table Chain PREROUTING (policy ACCEPT 2078 packets, 277K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 394 packets, 26114 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 394 packets, 26114 bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Mangle Table Chain PREROUTING (policy ACCEPT 109K packets, 29M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 101K packets, 23M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 7929 packets, 5308K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 82230 packets, 11M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 90159 packets, 16M bytes) pkts bytes target prot opt in out source destination udp 17 26 src=192.168.0.19 dst=192.168.0.255 sport=138 dport=138 packets=1 bytes=229 [UNREPLIED] src=192.168.0.255 dst=192.168.0.19 sport=138 dport=138 packets=0 bytes=0 use=1 tcp 6 9 TIME_WAIT src=24.225.153.172 dst=63.116.56.195 sport=46044 dport=110 packets=58 bytes=3080 src=63.116.56.195 dst=24.225.153.172 sport=110 dport=46044 packets=100 bytes=98292 [ASSURED] use=1 tcp 6 119 SYN_SENT src=192.168.0.1 dst=192.168.0.19 sport=1022 dport=515 packets=2 bytes=120 [UNREPLIED] src=192.168.0.19 dst=192.168.0.1 sport=515 dport=1022 packets=0 bytes=0 use=1 udp 17 179 src=24.225.153.172 dst=65.83.241.167 sport=35047 dport=53 packets=6 bytes=387 src=65.83.241.167 dst=24.225.153.172 sport=53 dport=35047 packets=6 bytes=580 [ASSURED] use=1 udp 17 28 src=10.0.0.1 dst=255.255.255.255 sport=67 dport=68 packets=722651 bytes=245779342 [UNREPLIED] src=255.255.255.255 dst=10.0.0.1 sport=68 dport=67 packets=0 bytes=0 use=1 tcp 6 424827 ESTABLISHED src=192.168.0.207 dst=192.168.0.1 sport=1361 dport=22 packets=46 bytes=4376 src=192.168.0.1 dst=192.168.0.207 sport=22 dport=1361 packets=53 bytes=5037 [ASSURED] use=1 tcp 6 431841 ESTABLISHED src=192.168.0.6 dst=192.168.0.1 sport=4396 dport=22 packets=111301 bytes=10103583 src=192.168.0.1 dst=192.168.0.6 sport=22 dport=4396 packets=129386 bytes=16309605 [ASSURED] use=1 tcp 6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=46046 dport=631 packets=23 bytes=22650 src=127.0.0.1 dst=127.0.0.1 sport=631 dport=46046 packets=21 bytes=1508 [ASSURED] use=1 tcp 6 29 SYN_SENT src=192.168.0.1 dst=192.168.0.19 sport=1023 dport=515 packets=1 bytes=60 [UNREPLIED] src=192.168.0.19 dst=192.168.0.1 sport=515 dport=1023 packets=0 bytes=0 use=1 tcp 6 29 LAST_ACK src=209.68.2.91 dst=24.225.153.172 sport=2790 dport=25 packets=11 bytes=3737 src=24.225.153.172 dst=209.68.2.91 sport=25 dport=2790 packets=13 bytes=846 [ASSURED] use=1 tcp 6 430492 ESTABLISHED src=192.168.0.207 dst=192.168.0.1 sport=1303 dport=22 packets=7310 bytes=666232 src=192.168.0.1 dst=192.168.0.207 sport=22 dport=1303 packets=8837 bytes=911081 [ASSURED] use=1 tcp 6 431873 ESTABLISHED src=192.168.0.6 dst=192.168.0.1 sport=4397 dport=22 packets=18811 bytes=1686055 src=192.168.0.1 dst=192.168.0.6 sport=22 dport=4397 packets=22092 bytes=3463177 [ASSURED] use=1 tcp 6 113 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=46045 dport=631 packets=47 bytes=3075 src=127.0.0.1 dst=127.0.0.1 sport=631 dport=46045 packets=47 bytes=7553 [ASSURED] use=1 tcp 6 428091 ESTABLISHED src=192.168.0.207 dst=192.168.0.1 sport=1360 dport=22 packets=311 bytes=28288 src=192.168.0.1 dst=192.168.0.207 sport=22 dport=1360 packets=417 bytes=47905 [ASSURED] use=1 IP Configuration 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:52:ed:49 brd ff:ff:ff:ff:ff:ff inet 24.225.153.172/20 brd 255.255.255.255 scope global eth0 inet6 fe80::2a0:ccff:fe52:ed49/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:07:e9:17:84:86 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 inet6 fe80::207:e9ff:fe17:8486/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 /proc /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 1 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 1 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/conf/eth0/rp_filter = 1 /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth1/arp_filter = 0 /proc/sys/net/ipv4/conf/eth1/rp_filter = 0 /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 /proc/sys/net/ipv4/conf/lo/arp_filter = 0 /proc/sys/net/ipv4/conf/lo/rp_filter = 0 Routing Rules 0: from all lookup local 32766: from all lookup main 32767: from all lookup default Table local: broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 24.225.144.0 dev eth0 proto kernel scope link src 24.225.153.172 broadcast 24.225.159.255 dev eth0 proto kernel scope link src 24.225.153.172 local 24.225.153.172 dev eth0 proto kernel scope host src 24.225.153.172 local 192.168.0.1 dev eth1 proto kernel scope host src 192.168.0.1 broadcast 192.168.0.0 dev eth1 proto kernel scope link src 192.168.0.1 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 24.225.144.0/20 dev eth0 proto kernel scope link src 24.225.153.172 default via 24.225.144.1 dev eth0 Table default:
On Sat, Jan 08, 2005 at 06:06:46PM -0900, John Andersen wrote:> If that''s what your netgear manual says then it should be right.I don''t know if the netgear manual says to do that. I''ve been using it like that for over a year (when I first got it I read on the box that it supported lpd so I just tried and it worked)> Does the netgear need a reboot?No. As I said, as soon as I stop Shorewall, all of the print jobs that I queued up while Shorewall was running immediately begin printing.> By golly you DO have lpd as well as cps listening. How odd! I''ve > never seen them both run, as cups is meant to take over all functions > of lpd. What happens if you close the local lpd?I don''t understand what you mean by "close the local lpd". Do you mean reject packets on 515? I currently have all ports open between fw <-> loc by my policy file.> Does your printer.conf try to route print from cups back to your own > lpr (all in the same machine), and then out to the Netgear?I don''t know. I just configured CUPS to print to lpd://192.168.0.19/raw a long time ago, and it worked fine until I installed Shorewall. It even worked with another firewall script that I had (poached from an old Red Hat installation) before I "upgraded" to Shorewall.
On Sat, 2005-01-08 at 22:09 -0500, Erik Reuter wrote:> > Here you go:If you carefully followed my instructions then, there is only only instances where Shorewall is dropping or rejcting packets:> > > [H[2JShorewall-2.0.13 Status at erikreuter - Sat Jan 8 22:06:55 EST 2005 > > Counters reset Sat Jan 8 22:06:31 EST 2005 > > Chain INPUT (policy DROP 6 packets, 2040 bytes) > pkts bytes target prot opt in out source destination > 138 34786 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 4 172 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID-------------------------------------------------------------------------------------------------------- Is the routing here symmetric? In other words, do replies FROM the print server go back through the router? The reason that I ask is: tcp 6 119 SYN_SENT src=192.168.0.1 dst=192.168.0.19 sport=1022 dport=515 packets=2 bytes=120 [UNREPLIED] src=192.168.0.19 dst=192.168.0.1 sport=515 dport=1022 packets=0 bytes=0 use=1 This means that the firewall has seen the first packet in the three-way TCP handshake but has not seen any other packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, Jan 08, 2005 at 07:28:59PM -0800, Tom Eastep wrote:> Is the routing here symmetric? In other words, do replies FROM the print > server go back through the router? The reason that I ask is: > > tcp 6 119 SYN_SENT src=192.168.0.1 dst=192.168.0.19 sport=1022 > dport=515 packets=2 bytes=120 [UNREPLIED] src=192.168.0.19 > dst=192.168.0.1 sport=515 dport=1022 packets=0 bytes=0 use=1 > > This means that the firewall has seen the first packet in the three-way > TCP handshake but has not seen any other packets.I don''t understand your question about replies going back through the "router". Do you mean the firewall machine? The relevant part of my network looks like: 192.168.0.1 <--------------> 192.168.0.19 <--------> printer eth1 Netgear PS101 fw printserver CUPS server lpd://192.168.0.19/raw CUPS/lp client> If you carefully followed my instructions then, there is only onlyJust in case, I followed your instructions again. Does it matter how long I wait between printing and running the shorewall status? It was only a few seconds... [H[2JShorewall-2.0.13 Status at erikreuter - Sat Jan 8 22:34:21 EST 2005 Counters reset Sat Jan 8 22:34:09 EST 2005 Chain INPUT (policy DROP 1 packets, 92 bytes) pkts bytes target prot opt in out source destination 156 35722 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 128 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 16 5432 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 108 9780 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 156 35722 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 152 9600 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain Drop (1 references) pkts bytes target prot opt in out source destination 0 0 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropSMB all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DropDNSrep (2 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain DropSMB (1 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain DropUPnP (2 references) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 Chain Reject (4 references) pkts bytes target prot opt in out source destination 0 0 RejectAuth all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RejectSMB all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropUPnP all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dropNotSyn all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DropDNSrep all -- * * 0.0.0.0/0 0.0.0.0/0 Chain RejectAuth (2 references) pkts bytes target prot opt in out source destination 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 Chain RejectSMB (1 references) pkts bytes target prot opt in out source destination 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 Chain all2all (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropInvalid (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID Chain dropNotSyn (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 16 5432 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 16 5432 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 108 9780 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 108 9780 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2loc (1 references) pkts bytes target prot opt in out source destination 150 9480 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33464 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (0 references) pkts bytes target prot opt in out source destination Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 108 9780 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33464 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logflags (5 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33464 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain norfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12 0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.0.0/16 0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 10.0.0.0/8 Chain reject (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 192.168.0.255 0.0.0.0/0 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain rfc1918 (6 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination Chain smurfs (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 LOG all -- * * 192.168.0.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 192.168.0.255 0.0.0.0/0 0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 Chain tcpflags (4 references) pkts bytes target prot opt in out source destination 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x16/0x02 Jan 8 22:08:02 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=12259 DF PROTO=TCP SPT=2826 DPT=5000 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:05 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=12868 DF PROTO=TCP SPT=2658 DPT=1025 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:05 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=12870 DF PROTO=TCP SPT=2678 DPT=6129 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:05 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=12874 DF PROTO=TCP SPT=2724 DPT=3410 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:05 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=12875 DF PROTO=TCP SPT=2751 DPT=5554 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:05 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=12876 DF PROTO=TCP SPT=2816 DPT=1433 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:05 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=12877 DF PROTO=TCP SPT=2826 DPT=5000 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:11 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14102 DF PROTO=TCP SPT=2826 DPT=5000 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:11 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14103 DF PROTO=TCP SPT=2816 DPT=1433 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:11 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14104 DF PROTO=TCP SPT=2751 DPT=5554 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:11 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14105 DF PROTO=TCP SPT=2724 DPT=3410 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:11 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14109 DF PROTO=TCP SPT=2678 DPT=6129 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:08:11 net2all:DROP:IN=eth0 OUT= SRC=24.225.142.82 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14111 DF PROTO=TCP SPT=2658 DPT=1025 WINDOW=65520 RES=0x00 SYN URGP=0 Jan 8 22:16:32 net2all:DROP:IN=eth0 OUT= SRC=212.65.249.194 DST=24.225.153.172 LEN=907 TOS=0x00 PREC=0x00 TTL=112 ID=59955 PROTO=UDP SPT=13463 DPT=1026 LEN=887 Jan 8 22:16:33 net2all:DROP:IN=eth0 OUT= SRC=212.61.158.35 DST=24.225.153.172 LEN=907 TOS=0x00 PREC=0x00 TTL=113 ID=61004 PROTO=UDP SPT=25444 DPT=1027 LEN=887 Jan 8 22:19:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=52368 DPT=53 LEN=51 Jan 8 22:24:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=53583 DPT=53 LEN=51 Jan 8 22:24:20 net2all:DROP:IN=eth0 OUT= SRC=210.207.243.194 DST=24.225.153.172 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=6589 DF PROTO=TCP SPT=3297 DPT=4899 WINDOW=16384 RES=0x00 SYN URGP=0 Jan 8 22:29:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=71 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=53963 DPT=53 LEN=51 Jan 8 22:29:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.0.0.1 DST=255.255.255.255 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 PROTO=UDP SPT=52981 DPT=53 LEN=52 NAT Table Chain PREROUTING (policy ACCEPT 2195 packets, 296K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 454 packets, 29934 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 454 packets, 29934 bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Mangle Table Chain PREROUTING (policy ACCEPT 123K packets, 31M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 116K packets, 26M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 7929 packets, 5308K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 96530 packets, 14M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 104K packets, 19M bytes) pkts bytes target prot opt in out source destination udp 17 2 src=192.168.0.19 dst=192.168.0.255 sport=138 dport=138 packets=1 bytes=229 [UNREPLIED] src=192.168.0.255 dst=192.168.0.19 sport=138 dport=138 packets=0 bytes=0 use=1 tcp 6 119 SYN_SENT src=192.168.0.1 dst=192.168.0.19 sport=1022 dport=515 packets=2 bytes=120 [UNREPLIED] src=192.168.0.19 dst=192.168.0.1 sport=515 dport=1022 packets=0 bytes=0 use=1 udp 17 29 src=10.0.0.1 dst=255.255.255.255 sport=67 dport=68 packets=724646 bytes=246457738 [UNREPLIED] src=255.255.255.255 dst=10.0.0.1 sport=68 dport=67 packets=0 bytes=0 use=1 tcp 6 430381 ESTABLISHED src=192.168.0.207 dst=192.168.0.1 sport=1361 dport=22 packets=47 bytes=4416 src=192.168.0.1 dst=192.168.0.207 sport=22 dport=1361 packets=54 bytes=5077 [ASSURED] use=1 tcp 6 431850 ESTABLISHED src=192.168.0.6 dst=192.168.0.1 sport=4396 dport=22 packets=119295 bytes=10833623 src=192.168.0.1 dst=192.168.0.6 sport=22 dport=4396 packets=139204 bytes=17331313 [ASSURED] use=1 udp 17 10 src=10.0.0.1 dst=255.255.255.255 sport=52774 dport=53 packets=1 bytes=71 [UNREPLIED] src=255.255.255.255 dst=10.0.0.1 sport=53 dport=52774 packets=0 bytes=0 use=1 tcp 6 32 SYN_SENT src=192.168.0.1 dst=192.168.0.19 sport=1023 dport=515 packets=1 bytes=60 [UNREPLIED] src=192.168.0.19 dst=192.168.0.1 sport=515 dport=1023 packets=0 bytes=0 use=1 tcp 6 112 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=46070 dport=631 packets=31 bytes=23066 src=127.0.0.1 dst=127.0.0.1 sport=631 dport=46070 packets=29 bytes=1924 [ASSURED] use=1 tcp 6 428846 ESTABLISHED src=192.168.0.207 dst=192.168.0.1 sport=1303 dport=22 packets=7310 bytes=666232 src=192.168.0.1 dst=192.168.0.207 sport=22 dport=1303 packets=8837 bytes=911081 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.6 dst=192.168.0.1 sport=4397 dport=22 packets=20063 bytes=1798567 src=192.168.0.1 dst=192.168.0.6 sport=22 dport=4397 packets=23560 bytes=3640737 [ASSURED] use=1 tcp 6 426445 ESTABLISHED src=192.168.0.207 dst=192.168.0.1 sport=1360 dport=22 packets=311 bytes=28288 src=192.168.0.1 dst=192.168.0.207 sport=22 dport=1360 packets=417 bytes=47905 [ASSURED] use=1 tcp 6 112 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=46069 dport=631 packets=49 bytes=3179 src=127.0.0.1 dst=127.0.0.1 sport=631 dport=46069 packets=47 bytes=7553 [ASSURED] use=1 IP Configuration 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:52:ed:49 brd ff:ff:ff:ff:ff:ff inet 24.225.153.172/20 brd 255.255.255.255 scope global eth0 inet6 fe80::2a0:ccff:fe52:ed49/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:07:e9:17:84:86 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 inet6 fe80::207:e9ff:fe17:8486/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 /proc /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 1 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 1 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/conf/eth0/rp_filter = 1 /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth1/arp_filter = 0 /proc/sys/net/ipv4/conf/eth1/rp_filter = 0 /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 /proc/sys/net/ipv4/conf/lo/arp_filter = 0 /proc/sys/net/ipv4/conf/lo/rp_filter = 0 Routing Rules 0: from all lookup local 32766: from all lookup main 32767: from all lookup default Table local: broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 24.225.144.0 dev eth0 proto kernel scope link src 24.225.153.172 broadcast 24.225.159.255 dev eth0 proto kernel scope link src 24.225.153.172 local 24.225.153.172 dev eth0 proto kernel scope host src 24.225.153.172 local 192.168.0.1 dev eth1 proto kernel scope host src 192.168.0.1 broadcast 192.168.0.0 dev eth1 proto kernel scope link src 192.168.0.1 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 24.225.144.0/20 dev eth0 proto kernel scope link src 24.225.153.172 default via 24.225.144.1 dev eth0 Table default:
Erik Reuter wrote:> On Sat, Jan 08, 2005 at 07:28:59PM -0800, Tom Eastep wrote: > >>Is the routing here symmetric? In other words, do replies FROM the print >>server go back through the router? The reason that I ask is: >> >>tcp 6 119 SYN_SENT src=192.168.0.1 dst=192.168.0.19 sport=1022 >>dport=515 packets=2 bytes=120 [UNREPLIED] src=192.168.0.19 >>dst=192.168.0.1 sport=515 dport=1022 packets=0 bytes=0 use=1 >> >>This means that the firewall has seen the first packet in the three-way >>TCP handshake but has not seen any other packets. > > > I don''t understand your question about replies going back through the > "router". Do you mean the firewall machine? > > The relevant part of my network looks like: > > 192.168.0.1 <--------------> 192.168.0.19 <--------> printer > eth1 Netgear PS101 > fw printserver > CUPS server lpd://192.168.0.19/raw > CUPS/lp client >Ok -- your print server is broken -- there is a report about this on the Netfilter mailing list. The print server is replying to the SYN packet with a SYN+ACK+PSH or some similar nonsense. Any Sane stateful firewall will not accept that as a valid response. You can: a) Try upgrading to Shorewall 2.2.0-RC4; it has different treatment of nonsense packets like that; or b) Place this in your /etc/shorewall/start file: run_iptables -D INPUT 2 Be sure you remove that when you upgrade to 2.2.0 or you will delete a rule that you don''t intend to delete. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Erik Reuter wrote: > >> >>The relevant part of my network looks like: >> >>192.168.0.1 <--------------> 192.168.0.19 <--------> printer >>eth1 Netgear PS101 >>fw printserver >>CUPS server lpd://192.168.0.19/raw >>CUPS/lp client >> > > > Ok -- your print server is broken -- there is a report about this on the > Netfilter mailing list. The print server is replying to the SYN packet > with a SYN+ACK+PSH or some similar nonsense. Any Sane stateful firewall > will not accept that as a valid response. > > You can: > > a) Try upgrading to Shorewall 2.2.0-RC4; it has different treatment of > nonsense packets like that;If you try this, be sure to set: DROPINVALID=No in shorewall.conf -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Erik Reuter wrote:> On Sat, Jan 08, 2005 at 07:47:35PM -0800, Tom Eastep wrote: > >>Ok -- your print server is broken -- there is a report about this on the >> Netfilter mailing list. The print server is replying to the SYN packet >>with a SYN+ACK+PSH or some similar nonsense. Any Sane stateful firewall >>will not accept that as a valid response. >> >>a) Try upgrading to Shorewall 2.2.0-RC4; it has different treatment of >>nonsense packets like that; or > > > Tried that earlier today, it didn''t help. By the way, do you know if > there is a .deb somewhere of 2.2.0-RC4? I couldn''t find a .deb so I used > alien to convert an RPM to a .deb. > > >>b) Place this in your /etc/shorewall/start file: >> >>run_iptables -D INPUT 2 > > > Did that. Then shorewall clear and then shorewall start. Then I tried > printing again. Nothing until I did a shorewall clear, then printing > started. ><lot of stuff deleted>>Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 138 34786 ACCEPT all -- * lo 0.0.0.0/0 >0.0.0.0/0 > 10 445 DROP !icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID >It looks like you also have to have: run_iptables -D OUTPUT 2 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, Jan 08, 2005 at 08:19:18PM -0800, Tom Eastep wrote:> > It looks like you also have to have: > > run_iptables -D OUTPUT 2Ah, that did the trick. Printing is working fine now. Thanks for the help! -- Erik Reuter http://www.erikreuter.net/
Erik Reuter wrote:> On Sat, Jan 08, 2005 at 08:19:18PM -0800, Tom Eastep wrote: > >>It looks like you also have to have: >> >>run_iptables -D OUTPUT 2 > > > Ah, that did the trick. Printing is working fine now. Thanks for the > help! > >You are welcome. Please report the print server problem to Netgear -- this won''t get fixed until people like you who have bought the device complain to them... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key