Craig M. Nicholson
2006-Oct-11 17:23 UTC
Re: Multi ISP - possible bugin incomingconnections
Hi Tom,> Don''t know what version of the code you are running but the current > providers file doesn''t say that.Well the top of the file says Shorewall 3.0> If you get rid of ''loose'', it should work.I removed the loose option and still no joy. If I do a simultaneous tcpdump on the ppp0 interface and the eth1 interface I can see the SYN packet arriving on the ppp0 interface and being responded to via the eth1 interface with the source address set to the masquerade address of the ppp0 interface. Here are some traces of the mysterious situation: firewall:~# tcpdump -n -i ppp0 ip and host 196.202.x.x and port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 19:16:37.396918 IP 196.202.x.x.2766 > 165.165.x.x.21: S 257590270:257590270(0) win 5840 <mss 1460,sackOK,timestamp 3613067659 0,nop,wscale 0> 19:16:40.389580 IP 196.202.x.x.2766 > 165.165.x.x.21: S 257590270:257590270(0) win 5840 <mss 1460,sackOK,timestamp 3613067959 0,nop,wscale 0> 19:16:46.380695 IP 196.202.x.x.2766 > 165.165.x.x.21: S 257590270:257590270(0) win 5840 <mss 1460,sackOK,timestamp 3613068559 0,nop,wscale 0> 19:16:58.385079 IP 196.202.x.x.2766 > 165.165.x.x.21: S 257590270:257590270(0) win 5840 <mss 1460,sackOK,timestamp 3613069759 0,nop,wscale 0> 19:17:22.392620 IP 196.202.x.x.2766 > 165.165.x.x.21: S 257590270:257590270(0) win 5840 <mss 1460,sackOK,timestamp 3613072159 0,nop,wscale 0> firewall:~# tcpdump -n -i eth1 ip and host 196.202.x.x and port 21 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 19:16:37.397013 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 200260 3613067659,nop,wscale 6> 19:16:40.389656 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 201008 3613067659,nop,wscale 6> 19:16:40.393721 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 201010 3613067659,nop,wscale 6> 19:16:46.380778 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 202506 3613067659,nop,wscale 6> 19:16:46.394033 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 202510 3613067659,nop,wscale 6> 19:16:58.385154 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 205507 3613067659,nop,wscale 6> 19:16:58.394663 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 205510 3613067659,nop,wscale 6> 19:17:22.392706 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 211509 3613067659,nop,wscale 6> 19:17:22.395924 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 211510 3613067659,nop,wscale 6> 19:18:10.598454 IP 165.165.x.x.21 > 196.202.x.x.2766: S 988189063:988189063(0) ack 257590271 win 5760 <mss 1452,sackOK,timestamp 223560 3613067659,nop,wscale 6> If I do a "shorewall show connections" on the firewall it reveals the following: firewall:~# shorewall show connections | grep 196.202.x.x tcp 6 34 SYN_RECV src=196.202.x.x dst=165.165.x.x sport=2766 dport=21 packets=1 bytes=60 src=165.165.x.x dst=196.202.x.x sport=21 dport=2766 packets=9 bytes=540 mark=2 use=1 Any clue why this would be happening? Regards, - Craig. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Craig M. Nicholson wrote:> Any clue why this would be happening?Not without seeing the output of "shorewall dump"... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642