Shorewall users - Mar 2005 - strange behaviour with rulesets

hi,

i have a strange situtation. i try to connect to my machine with ssh and
the packets are dropped but i have at the top of my rules an accept.

the configuration looks like:

rules-file:
-----------
ACCEPT  net     fw      tcp     22      -

TCPDUMP-log:
------------
12:16:08.153934 84.153.98.30.1322 > [my-destination-machine].ssh: S
3717288415:3717288415(0) win 64240 <mss 1412,nop,nop,sackOK> (DF) [tos
0x10]

SYSLOG-log:
-----------
Mar  4 12:16:08 [kernel] Shorewall:logdrop:DROP:IN=ppp0 OUT= MACSRC=84.153.98.30
DST=[my-destination-machine] LEN=48 TOS=0x10 PREC=0x00
TTL=125 ID=59988 DF PROTO=TCP SPT=1322 DPT=22 WINDOW=64240 RES=0x00 SYN
URGP=0

i can connect from another machine without any problems and the rule is
not restrict the access to any machine. it seems that the rule is not
matching the packets from my machine at home.

any ideas?

claus

is ppp0 member of the "net" zone?

Jan

Claus Rosenberger wrote:
> hi,
> 
> i have a strange situtation. i try to connect to my machine with ssh and
> the packets are dropped but i have at the top of my rules an accept.
> 
> the configuration looks like:
> 
> rules-file:
> -----------
> ACCEPT  net     fw      tcp     22      -
> 
> TCPDUMP-log:
> ------------
> 12:16:08.153934 84.153.98.30.1322 > [my-destination-machine].ssh: S
> 3717288415:3717288415(0) win 64240 <mss 1412,nop,nop,sackOK> (DF)
[tos
> 0x10]
> 
> SYSLOG-log:
> -----------
> Mar  4 12:16:08 [kernel] Shorewall:logdrop:DROP:IN=ppp0 OUT= MAC>
SRC=84.153.98.30 DST=[my-destination-machine] LEN=48 TOS=0x10 PREC=0x00
> TTL=125 ID=59988 DF PROTO=TCP SPT=1322 DPT=22 WINDOW=64240 RES=0x00 SYN
> URGP=0
> 
> i can connect from another machine without any problems and the rule is
> not restrict the access to any machine. it seems that the rule is not
> matching the packets from my machine at home.
> 
> any ideas?
> 
> claus
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

yes, thats part of the zone-file:
---------------------------------
net ppp0:0.0.0.0/0

> is ppp0 member of the "net" zone?
>
> Jan
>
> Claus Rosenberger wrote:
>> hi,
>>
>> i have a strange situtation. i try to connect to my machine with ssh
and
>> the packets are dropped but i have at the top of my rules an accept.
>>
>> the configuration looks like:
>>
>> rules-file:
>> -----------
>> ACCEPT  net     fw      tcp     22      -
>>
>> TCPDUMP-log:
>> ------------
>> 12:16:08.153934 84.153.98.30.1322 > [my-destination-machine].ssh: S
>> 3717288415:3717288415(0) win 64240 <mss 1412,nop,nop,sackOK> (DF)
[tos
>> 0x10]
>>
>> SYSLOG-log:
>> -----------
>> Mar  4 12:16:08 [kernel] Shorewall:logdrop:DROP:IN=ppp0 OUT=
MAC>> SRC=84.153.98.30 DST=[my-destination-machine] LEN=48 TOS=0x10
PREC=0x00
>> TTL=125 ID=59988 DF PROTO=TCP SPT=1322 DPT=22 WINDOW=64240 RES=0x00 SYN
>> URGP=0
>>
>> i can connect from another machine without any problems and the rule is
>> not restrict the access to any machine. it seems that the rule is not
>> matching the packets from my machine at home.
>>
>> any ideas?
>>
>> claus
>>
>>
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Post: Shorewall-users@lists.shorewall.net
>> Subscribe/Unsubscribe:
>> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>> Support: http://www.shorewall.net/support.htm
>> FAQ: http://www.shorewall.net/FAQ.htm
>

i guess something different: which version of shorewall do you use?
do you use the nobogons option in the interfaces file?

If yes:
can you please post rfc1918 / bogons files located in /usr/share/shorewall/ in 
case that your shorewall is a bit older...

Alex

On Friday 04 March 2005 12:39, Claus Rosenberger wrote:
> yes, thats part of the zone-file:
> ---------------------------------
> net ppp0:0.0.0.0/0
>
> > is ppp0 member of the "net" zone?
> >
> > Jan
> >
> > Claus Rosenberger wrote:
> >> hi,
> >>
> >> i have a strange situtation. i try to connect to my machine with
ssh and
> >> the packets are dropped but i have at the top of my rules an
accept.
> >>
> >> the configuration looks like:
> >>
> >> rules-file:
> >> -----------
> >> ACCEPT  net     fw      tcp     22      -
> >>
> >> TCPDUMP-log:
> >> ------------
> >> 12:16:08.153934 84.153.98.30.1322 >
[my-destination-machine].ssh: S
> >> 3717288415:3717288415(0) win 64240 <mss 1412,nop,nop,sackOK>
(DF) [tos
> >> 0x10]
> >>
> >> SYSLOG-log:
> >> -----------
> >> Mar  4 12:16:08 [kernel] Shorewall:logdrop:DROP:IN=ppp0 OUT=
MAC> >> SRC=84.153.98.30 DST=[my-destination-machine] LEN=48 TOS=0x10
PREC=0x00
> >> TTL=125 ID=59988 DF PROTO=TCP SPT=1322 DPT=22 WINDOW=64240
RES=0x00 SYN
> >> URGP=0
> >>
> >> i can connect from another machine without any problems and the
rule is
> >> not restrict the access to any machine. it seems that the rule is
not
> >> matching the packets from my machine at home.
> >>
> >> any ideas?
> >>
> >> claus
> >>
> >>
> >>
> >> _______________________________________________
> >> Shorewall-users mailing list
> >> Post: Shorewall-users@lists.shorewall.net
> >> Subscribe/Unsubscribe:
> >> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> >> Support: http://www.shorewall.net/support.htm
> >> FAQ: http://www.shorewall.net/FAQ.htm
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Alexander Wilms
alex.wilms@adminguru.org
ICQ#: 3724018
http://www.adminguru.org

Evolution (n): A hypothetical process whereby
infinitely improbable events occur with alarming frequency,
order arises from chaos, and no one is given credit.

> i guess something different: which version of shorewall do you use?
1.4.7-RC2
> do you use the nobogons option in the interfaces file?
interfaces-file
---------------
net     ppp0    detect          tcpflags,blacklist,norfc1918
loc     eth1    10.30.0.0/24
> If yes:
> can you please post rfc1918 / bogons files located in
> /usr/share/shorewall/ in
> case that your shorewall is a bit older...
>
> Alex
>

rfc1918-file in /etc/shorewall:
-------------------------------

169.254.0.0/16          DROP            # DHCP autoconfig
172.16.0.0/12           logdrop         # RFC 1918
192.0.2.0/24            logdrop         # Example addresses (RFC 3330)
192.168.0.0/16          logdrop         # RFC 1918
#
0.0.0.0/7               logdrop         # Reserved
2.0.0.0/8               logdrop         # Reserved
5.0.0.0/8               logdrop         # Reserved
7.0.0.0/8               logdrop         # Reserved
10.0.0.0/8              logdrop         # Reserved
23.0.0.0/8              logdrop         # Reserved
27.0.0.0/8              logdrop         # Reserved
31.0.0.0/8              logdrop         # Reserved
36.0.0.0/7              logdrop         # Reserved
39.0.0.0/8              logdrop         # Reserved
41.0.0.0/8              logdrop         # Reserved
42.0.0.0/8              logdrop         # Reserved
49.0.0.0/8              logdrop         # JTC - Returned to IANA Mar 98
50.0.0.0/8              logdrop         # JTC - Returned to IANA Mar 98
58.0.0.0/7              logdrop         # Reserved
70.0.0.0/7              logdrop         # Reserved
72.0.0.0/5              logdrop         # Reserved
83.0.0.0/8              logdrop         # Reserved
84.0.0.0/6              logdrop         # Reserved
88.0.0.0/5              logdrop         # Reserved
96.0.0.0/3              logdrop         # Reserved
127.0.0.0/8             logdrop         # Loopback
197.0.0.0/8             logdrop         # Reserved
198.18.0.0/15           logdrop         # Reserved
223.0.0.0/8             logdrop         # Reserved - Returned by APNIC in
2003
240.0.0.0/4             logdrop         # Reserved
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Claus Rosenberger wrote on 04/03/2005 09:24:57:
> > i guess something different: which version of shorewall do you use?
> 
> 1.4.7-RC2
> 
please, upgrade to 2.2 or 2.0 - version 1.4 is no longer supported.  :-(


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

:( ok, i will do that, thx
> Claus Rosenberger wrote on 04/03/2005 09:24:57:
>
>> > i guess something different: which version of shorewall do you
use?
>>
>> 1.4.7-RC2
>>
> please, upgrade to 2.2 or 2.0 - version 1.4 is no longer supported.  :-(
>

wise idea, because this line
84.0.0.0/6              logdrop         # Reserved
 of the rfc1918 file was the cause. just outdated. this netblock got assigned  
to german telekom in 2004

Alex

On Friday 04 March 2005 13:33, Claus Rosenberger wrote:
> :( ok, i will do that, thx
> :
> > Claus Rosenberger wrote on 04/03/2005 09:24:57:
> >> > i guess something different: which version of shorewall do
you use?
> >>
> >> 1.4.7-RC2
> >
> > please, upgrade to 2.2 or 2.0 - version 1.4 is no longer supported. 
:-(
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Alexander Wilms
alex.wilms@adminguru.org
ICQ#: 3724018
http://www.adminguru.org

Evolution (n): A hypothetical process whereby
infinitely improbable events occur with alarming frequency,
order arises from chaos, and no one is given credit.

On Friday 04 March 2005 3:22 am, Claus Rosenberger
wrote:
> hi,
>
> i have a strange situtation. i try to connect to my machine with ssh and
> the packets are dropped but i have at the top of my rules an accept.
>
> the configuration looks like:
>
> rules-file:
> -----------
> ACCEPT  net     fw      tcp     22      -
>
> TCPDUMP-log:
> ------------
> 12:16:08.153934 84.153.98.30.1322 > [my-destination-machine].ssh: S
> 3717288415:3717288415(0) win 64240 <mss 1412,nop,nop,sackOK> (DF)
[tos
> 0x10]
> SYSLOG-log:
> -----------
> Mar  4 12:16:08 [kernel] Shorewall:logdrop:DROP:IN=ppp0 OUT= MAC>
SRC=84.153.98.30 DST=[my-destination-machine] LEN=48 TOS=0x10 PREC=0x00
> TTL=125 ID=59988 DF PROTO=TCP SPT=1322 DPT=22 WINDOW=64240 RES=0x00 SYN
> URGP=0
Check your blacklist.  Dollar to a donut you''ve blacklisted
84.153.98.30
somehow.
> i can connect from another machine without any problems and the rule is
> not restrict the access to any machine. it seems that the rule is not
> matching the packets from my machine at home.
>
> any ideas?
>
> claus
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Stephen Carville
Systems and Network Administrator
310-342-3602
stephen@totalflood.com