I have the following in my logs. Src Dest Proto Sport Dport Date Log Prefix a.b.c.d 239.255.67.250 udp 48421 16680 10/14/06 21:47 Shorewall:inet2all:DROP: The source IP address is my ISP assigned address on my ''net'' interface. Why do I have inet2all DROP log messages where the source IP is my ''net'' interface? If the DROP was because the DEST IP address was my ISP assigned address that would make sense to me, but in this case I am not understanding what is going on. I hope this type of question does not warrant all the stuff mentioned in the shorewall help documentation. If it does, I apologize. Thanks. Scott ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Scott Ruckh wrote:> I have the following in my logs. > > Src Dest Proto Sport Dport Date > Log Prefix > a.b.c.d 239.255.67.250 udp 48421 16680 10/14/06 21:47 > Shorewall:inet2all:DROP: > > The source IP address is my ISP assigned address on my ''net'' interface. > > Why do I have inet2all DROP log messages where the source IP is my ''net'' > interface? > > If the DROP was because the DEST IP address was my ISP assigned address > that would make sense to me, but in this case I am not understanding what > is going on. > > I hope this type of question does not warrant all the stuff mentioned in > the shorewall help documentation. If it does, I apologize.There isn''t enough here for me to answer the question. At the very least, I need to: a) See the original log message, not one that''s been put through a report-generation tool. Information like the IN and OUT interfaces are missing from what you sent. b) Understand the physical topology of the network. c) Understand the definitions of the zones involved (do you really have both ''net'' and ''inet'' zones?). d) Understand your routing. Sorry, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
This is what you said Tom Eastep> Scott Ruckh wrote: >> I have the following in my logs. >> >> Src Dest Proto Sport Dport Date >> Log Prefix >> a.b.c.d 239.255.67.250 udp 48421 16680 10/14/06 21:47 >> Shorewall:inet2all:DROP: >> >> The source IP address is my ISP assigned address on my ''net'' interface. >> >> Why do I have inet2all DROP log messages where the source IP is my ''net'' >> interface? >> >> If the DROP was because the DEST IP address was my ISP assigned address >> that would make sense to me, but in this case I am not understanding >> what >> is going on. >> >> I hope this type of question does not warrant all the stuff mentioned in >> the shorewall help documentation. If it does, I apologize. > > There isn''t enough here for me to answer the question. At the very least, > I need > to: > > a) See the original log message, not one that''s been put through a > report-generation tool. Information like the IN and OUT interfaces are > missing > from what you sent.Oct 15 00:25:17 shorewall-host Shorewall:inet2all:DROP: IN=eth2 OUT= MACSRC=a.b.c.d DST=239.255.67.250 LEN=172 TOS=00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=48421 DPT=16680 LEN=152 This is not the same log from above, but it still applies. The source IP address is the IP address given to me by my ISP.> b) Understand the physical topology of the network.3-network interface configuration. eth2=inet zone> c) Understand the definitions of the zones involved (do you really have > both > ''net'' and ''inet'' zones?).Nope this was me providing poor information. A good catch on your part. My internet zone is actually inet, but as everyone uses net I was trying to comply, but instead made things more confusing.> d) Understand your routing.Farily typical 3-interface configuration. The policy going out for all zones is Accept. Policy for inbound traffic is to block all. Inbound connections are controlled through rules. I don''t understand why my inet zone is the source address and the destination is a non-defined address (presumably an internet address), and the traffic is going through the firewall and being blocked. Obviously I do not see much of this type of traffic, and do not understand what is going on.> > Sorry, > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Scott Ruckh wrote:> > Oct 15 00:25:17 shorewall-host Shorewall:inet2all:DROP: IN=eth2 OUT= MAC> SRC=a.b.c.d DST=239.255.67.250 LEN=172 TOS=00 PREC=0x00 TTL=1 ID=0 DF > PROTO=UDP SPT=48421 DPT=16680 LEN=152 > > This is not the same log from above, but it still applies. The source IP > address is the IP address given to me by my ISP. > >> b) Understand the physical topology of the network. > > 3-network interface configuration. eth2=inet zone > >> c) Understand the definitions of the zones involved (do you really have >> both >> ''net'' and ''inet'' zones?). > > Nope this was me providing poor information. A good catch on your part. > My internet zone is actually inet, but as everyone uses net I was trying > to comply, but instead made things more confusing. > >> d) Understand your routing. > Farily typical 3-interface configuration. The policy going out for all > zones is Accept. Policy for inbound traffic is to block all. Inbound > connections are controlled through rules. > > I don''t understand why my inet zone is the source address and the > destination is a non-defined address (presumably an internet address), and > the traffic is going through the firewall and being blocked. Obviously I > do not see much of this type of traffic, and do not understand what is > going on.Your firewall is sending a multi-cast (which it is also receiving) and it is getting logged (the destination IP is in 224.0.0.0/4). This usually means that you need to set PKTTYPE=No in shorewall.conf as your Netfilter ''pkttype'' implementation is not matching that packet as multi-cast. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
This is what you said Tom Eastep> Scott Ruckh wrote: > >> >> Oct 15 00:25:17 shorewall-host Shorewall:inet2all:DROP: IN=eth2 OUT>> MAC>> SRC=a.b.c.d DST=239.255.67.250 LEN=172 TOS=00 PREC=0x00 TTL=1 ID=0 DF >> PROTO=UDP SPT=48421 DPT=16680 LEN=152 >> >> This is not the same log from above, but it still applies. The source >> IP >> address is the IP address given to me by my ISP. >> >>> b) Understand the physical topology of the network. >> >> 3-network interface configuration. eth2=inet zone >> >>> c) Understand the definitions of the zones involved (do you really have >>> both >>> ''net'' and ''inet'' zones?). >> >> Nope this was me providing poor information. A good catch on your part. >> My internet zone is actually inet, but as everyone uses net I was trying >> to comply, but instead made things more confusing. >> >>> d) Understand your routing. >> Farily typical 3-interface configuration. The policy going out for all >> zones is Accept. Policy for inbound traffic is to block all. Inbound >> connections are controlled through rules. >> >> I don''t understand why my inet zone is the source address and the >> destination is a non-defined address (presumably an internet address), >> and >> the traffic is going through the firewall and being blocked. Obviously >> I >> do not see much of this type of traffic, and do not understand what is >> going on. > > Your firewall is sending a multi-cast (which it is also receiving) and > it is getting logged (the destination IP is in 224.0.0.0/4). This > usually means that you need to set PKTTYPE=No in shorewall.conf as your > Netfilter ''pkttype'' implementation is not matching that packet as > multi-cast. > > -TomI am running iptables v1.3.5 with kernel 2.6.13.4. Should I configure iptables or the kernel differently instead of setting the PKTTYPE=No value in shorewall.conf? Do you know why PKTTYPE match extension is not able to match certain broadcast packets? I have made the change in shorewall.conf as suggested, but I will need to educate myself some more in order to understand completely the setting and what is going on. Thanks for the help. Scott ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642