Shorewall users - May 2008 - bind port 53 FORWARD:REJECT IN=eth1 OUT=eth1

Hi,

I''ve built two new firewalls with the latest shorewall
4.0.10-3 (updating from 2.4.9 finally!).

I''ve migrated the rules and modified them to the new
formats, and configured everything I need correctly.

When I tried to get the firewalls online last night
(they''re clustered) I got alot of these messages:

May 20 00:16:45 firewall01 kernel:
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
SRC=xxx.xx.xxx.xx DST=xxx.xxx.xxx.xxx LEN57 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF
PROTO=UDP
SPT=32768 DPT=53 LEN=37

where the SRC is it''s own zone, and the DST is an
external (net) zone.

The eth1 interface is my internal local network, while
eth0 is the internet connection to our provider.

I have about 17 zones running and configured (the
current shorewall 2.4.9 firewalls provide subnets and
firewalling for that many clients).

How would I start to trouble-shoot this problem?
noting I''ve migrated my config and setup (with the
expected modifications to take advantage of the new
4.x formats and values) from a working environment.

I''m going to give the new firewalls a go again tonight
to try and work out this problem.

Thanks.

Michael.



      Get the name you always wanted with the new y7mail email address.
www.yahoo7.com.au/y7mail



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Michael Mansour escribió:
> Hi,
>
> I''ve built two new firewalls with the latest shorewall
> 4.0.10-3 (updating from 2.4.9 finally!).
>
> I''ve migrated the rules and modified them to the new
> formats, and configured everything I need correctly.
>
> When I tried to get the firewalls online last night
> (they''re clustered) I got alot of these messages:
>
> May 20 00:16:45 firewall01 kernel:
> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
> SRC=xxx.xx.xxx.xx DST=xxx.xxx.xxx.xxx LEN> 57 TOS=0x00 PREC=0x00 TTL=63
ID=0 DF PROTO=UDP
> SPT=32768 DPT=53 LEN=37
>
> where the SRC is it''s own zone, and the DST is an
> external (net) zone.
>
> The eth1 interface is my internal local network, while
> eth0 is the internet connection to our provider.
>
> I have about 17 zones running and configured (the
> current shorewall 2.4.9 firewalls provide subnets and
> firewalling for that many clients).
>
> How would I start to trouble-shoot this problem?
> noting I''ve migrated my config and setup (with the
> expected modifications to take advantage of the new
> 4.x formats and values) from a working environment.
>
> I''m going to give the new firewalls a go again tonight
> to try and work out this problem.
>
> Thanks.
>
> Michael.
>   
Could be a policy or a forwarding problem ??

Can you paste your config ?
>
>
>       Get the name you always wanted with the new y7mail email address.
> www.yahoo7.com.au/y7mail
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft 
> Defy all challenges. Microsoft(R) Visual Studio 2008. 
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>   

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

> May 20 00:16:45 firewall01 kernel:
> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
                           ^^^^^^^^^^^^^^^^
Are these supposed to be the same?
> SRC=xxx.xx.xxx.xx DST=xxx.xxx.xxx.xxx LEN> 57 TOS=0x00 PREC=0x00 TTL=63
ID=0 DF PROTO=UDP
> SPT=32768 DPT=53 LEN=37
> 
> where the SRC is it''s own zone, and the DST is an
> external (net) zone.
> 
> The eth1 interface is my internal local network, while
> eth0 is the internet connection to our provider.
Typo in masq? Did you mean ''eth0 eth1'' there?

  Karsten


-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      http://www.chiark.greenend.org.uk/~sgtatham/bugs.html


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Karsten Bräckelmann wrote:
>> May 20 00:16:45 firewall01 kernel:
>> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
>                            ^^^^^^^^^^^^^^^^
> Are these supposed to be the same?
> 
>> SRC=xxx.xx.xxx.xx DST=xxx.xxx.xxx.xxx LEN>> 57 TOS=0x00 PREC=0x00
TTL=63 ID=0 DF PROTO=UDP
>> SPT=32768 DPT=53 LEN=37
>>
>> where the SRC is it''s own zone, and the DST is an
>> external (net) zone.
>>
>> The eth1 interface is my internal local network, while
>> eth0 is the internet connection to our provider.
> 
> Typo in masq? Did you mean ''eth0 eth1'' there?
Either that or eth1 needs the ''routeback'' option (see
Shorewall FAQ 17).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Karsten Bräckelmann wrote:
>>> May 20 00:16:45 firewall01 kernel:
>>> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
>>                            ^^^^^^^^^^^^^^^^
>> Are these supposed to be the same?
>>
>>> SRC=xxx.xx.xxx.xx DST=xxx.xxx.xxx.xxx LEN>>> 57 TOS=0x00
PREC=0x00 TTL=63 ID=0 DF PROTO=UDP
>>> SPT=32768 DPT=53 LEN=37
>>>
>>> where the SRC is it''s own zone, and the DST is an
>>> external (net) zone.
>>>
>>> The eth1 interface is my internal local network, while
>>> eth0 is the internet connection to our provider.
>>
>> Typo in masq? Did you mean ''eth0 eth1'' there?
> 
> Either that or eth1 needs the ''routeback'' option (see
Shorewall FAQ 17).
This could also be caused by doing something silly like configuring a 
default route out of eth1.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hi,

--- Tom Eastep <teastep@shorewall.net> wrote:
> Tom Eastep wrote:
> > Karsten Bräckelmann wrote:
> >>> May 20 00:16:45 firewall01 kernel:
> >>> Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
> >>                            ^^^^^^^^^^^^^^^^
> >> Are these supposed to be the same?
> >>
> >>> SRC=xxx.xx.xxx.xx DST=xxx.xxx.xxx.xxx LEN> >>> 57
TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP
> >>> SPT=32768 DPT=53 LEN=37
> >>>
> >>> where the SRC is it''s own zone, and the DST is
> an
> >>> external (net) zone.
> >>>
> >>> The eth1 interface is my internal local network,
> while
> >>> eth0 is the internet connection to our provider.
> >>
> >> Typo in masq? Did you mean ''eth0 eth1'' there?
> > 
> > Either that or eth1 needs the ''routeback'' option
> (see Shorewall FAQ 17).
> 
> This could also be caused by doing something silly
> like configuring a 
> default route out of eth1.
Sorry for the lateness of this reply, a couple of 3am
nights in the data centre working this out (and other
problems) before getting back onto this list.

Yes Tom, it was exactly that problem. The default
route was set to eth1 instead of eth0. Once that was
modified then all worked fine thereafter.

Many thanks for the assistance and suggestions for
what this could have been.

Michael.
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key


      Get the name you always wanted with the new y7mail email address.
www.yahoo7.com.au/mail

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/