Hi there, Probably setting me up for the anger of the wizzes here, but can''t get this trivia figured out: In /etc/shorewall/rules things read either IMAP/ACCEPT net $FW or ACCEPT net $FW tcp 993 but in both cases I end up with log entries like this: Jun 5 12:34:46 morannon kernel: Shorewall:net2all:DROP:IN=eth1 OUTMAC=00:40:63:ca:c3:ca:00:0b:23:34:d2:17:08:00 SRC=131.215.35.27 DST=68.127.241.203 LEN=60 TOS=0x00 PREC=0x00 T TL=50 ID=22182 DF PROTO=TCP SPT=46958 DPT=993 WINDOW=5840 RES=0x00 SYN URGP=0 What am I missing here? Thanks for any nudge into the right direction. Joh
> > Jun 5 12:34:46 morannon kernel: Shorewall:net2all:DROP:IN=eth1 OUT> MAC=00:40:63:ca:c3:ca:00:0b:23:34:d2:17:08:00 SRC=131.215.35.27 > DST=68.127.241.203 LEN=60 TOS=0x00 PREC=0x00 T > TL=50 ID=22182 DF PROTO=TCP SPT=46958 DPT=993 WINDOW=5840 RES=0x00 SYN > URGP=0Do you have the following line in your policy file? $FW net ACCEPT
Johannes Graumann wrote:> Hi there, > > Probably setting me up for the anger of the wizzes here, but can''t get this > trivia figured out: > > In /etc/shorewall/rules things read either > > IMAP/ACCEPT net $FW > > or > > ACCEPT net $FW tcp 993 > > but in both cases I end up with log entries like this: > > Jun 5 12:34:46 morannon kernel: Shorewall:net2all:DROP:IN=eth1 OUT> MAC=00:40:63:ca:c3:ca:00:0b:23:34:d2:17:08:00 SRC=131.215.35.27 > DST=68.127.241.203 LEN=60 TOS=0x00 PREC=0x00 T > TL=50 ID=22182 DF PROTO=TCP SPT=46958 DPT=993 WINDOW=5840 RES=0x00 SYN > URGP=0 > > What am I missing here? Thanks for any nudge into the right direction. >Is ''eth1'' your ''net'' interface? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Johannes Graumann wrote: >> Hi there, >> >> Probably setting me up for the anger of the wizzes here, but can''t get this >> trivia figured out: >> >> In /etc/shorewall/rules things read either >> >> IMAP/ACCEPT net $FW >> >> or >> >> ACCEPT net $FW tcp 993 >> >> but in both cases I end up with log entries like this: >> >> Jun 5 12:34:46 morannon kernel: Shorewall:net2all:DROP:IN=eth1 OUT>> MAC=00:40:63:ca:c3:ca:00:0b:23:34:d2:17:08:00 SRC=131.215.35.27 >> DST=68.127.241.203 LEN=60 TOS=0x00 PREC=0x00 T >> TL=50 ID=22182 DF PROTO=TCP SPT=46958 DPT=993 WINDOW=5840 RES=0x00 SYN >> URGP=0 >> >> What am I missing here? Thanks for any nudge into the right direction. >> > > Is ''eth1'' your ''net'' interface? >Never mind -- that was a silly question (the fact that the packets are being dropped in ''net2all'' indicates that eth1 is the ''net'' interface). I think we would like to see a "shorewall dump" obtained as described at http://www.shorewall.net/support.htm. Something doesn''t make sense here... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Daniel Czarnecki wrote:> Do you have the following line in your policy file? > > $FW net ACCEPTYes, Why? Joh
> >> Do you have the following line in your policy file? >> >> $FW net ACCEPT > > Yes, Why?It looked as if the policies were not allowing traffic to flow from the firewall to the internet. The outgoing data for an IMAP connection does not go out on the same port as the connection was made. Its a random port so to enable the firewall to send data back it needs to be told its ok to send out data to the internet from the firewall.
Daniel Czarnecki wrote:>>> Do you have the following line in your policy file? >>> >>> $FW net ACCEPT >> Yes, Why? > > It looked as if the policies were not allowing traffic to flow from > the firewall to the internet. The outgoing data for an IMAP > connection does not go out on the same port as the connection was > made. Its a random port so to enable the firewall to send data back > it needs to be told its ok to send out data to the internet from the > firewall. >According to the OP, the packet that is being rejected is not a response packet -- it is the original SYN packet from the client to the server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Never mind -- that was a silly question (the fact that the packets are > being dropped in ''net2all'' indicates that eth1 is the ''net'' interface). > I think we would like to see a "shorewall dump" obtained as described at > http://www.shorewall.net/support.htm. Something doesn''t make sense here...Tom, after a nightly powercycle shorewall now seems to behave as expected ... strange. Joh