I have Shorewall 2.2.1 on a machine with four ethernet interfaces and LANs networks 10.0.X.0 Having noticed that Shorewall was logging rejected attempts by the two Microsoft Windows servers in the LAN 10.0.0.0 to access time service on port 123 and IP addresses within the 169.254.0.0 network range, I setup to monitor each interface packet traffic with ethereal on the firewall. While Shorewall was logging packets supposedly sourced by either one of the Windows servers and supposedly to be sent to 169.254.2.2, none of the packets logged with ethereal on the four firewall interfaces contained the above value as its destination address. The time service traffic was all with legal destination servers. ethereal packet logging on one of the server confirmed that none of the packet on port 123 had the above as its destination address. I am not sure what I am actually witnessing here. Any idea how to discover where those packets come from? Thanks, Costantino ___________________________________________________________ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Costantino wrote:> > I am not sure what I am actually witnessing here. > Any idea how to discover where those packets come from?Do the log messages indicate that the IN= interface is the interface to your LAN? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
The IN= interface is the LAN where the Windows servers are. The weird is the OUT= interface is that of another LAN, not the Internet one. Costantino. -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net]On Behalf Of Tom Eastep Sent: 06 July 2006 15:47 To: Shorewall Users Subject: Re: [Shorewall-users] weird issue with time service port Costantino wrote:> > I am not sure what I am actually witnessing here. > Any idea how to discover where those packets come from?Do the log messages indicate that the IN= interface is the interface to your LAN? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ___________________________________________________________ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Costantino wrote:> The IN= interface is the LAN where the Windows servers are. > The weird is the OUT= interface is that of another > LAN, not the Internet one.I think it''s time to see the output of "shorewall status" as described in http://www.shorewall.net/2.0/support.htm -Tom PS -- it is also time to consider upgrading your Shorewall installation. 2.2.1 has been unsupported for some while. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> I think it''s time to see the output of "shorewall status"See attachment. Of course the OUT=eth3 is due to the following line in the routing table 169.254.0.0/16 dev eth3 scope link Costantino -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net]On Behalf Of Tom Eastep Sent: 06 July 2006 16:53 To: Shorewall Users Subject: Re: [Shorewall-users] weird issue with time service port Costantino wrote:> The IN= interface is the LAN where the Windows servers are. > The weird is the OUT= interface is that of another > LAN, not the Internet one.I think it''s time to see the output of "shorewall status" as described in http://www.shorewall.net/2.0/support.htm -Tom PS -- it is also time to consider upgrading your Shorewall installation. 2.2.1 has been unsupported for some while. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Costantino wrote:>> I think it''s time to see the output of "shorewall status" > > See attachment. > > Of course the OUT=eth3 is due to the following line in the routing table > > 169.254.0.0/16 dev eth3 scope link >Yes. I don''t see anything in the dump that would lead me to believe that the log messages aren''t valid so I have no idea why you can''t capture the traffic with Ethereal. I will note though that your rfc1918 file is hopelessly out of date (another good reason to upgrade -- when you upgrade, be sure that the /etc/shorewall/rfc1918 file is removed so that the ''norfc1918'' option will only catch RFC 1918 addresses). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642