Shorewall users - Jun 2008 - routing question

have a little question.

i have some troubles sending and receiving from my mailserver to 3
different mail servers, the strange thing was it wasn''t really clear in
the mail logs why it was rejected if it arrived at all.
turns out that it is being blocked by my firewall.

i am running Debian Etch vservers with a private ip address like 
192.168.1.* in a DMZ and i
do the routing via shorewall 4.08

Shorewall:fw2dmz:REJECT:IN= OUT=dummy0 SRC=192.168.1.88 DST=192.112.***.**
and also
Jun  4 18:54:38 host kernel: martian source 192.168.1.88 from
192.112.***.**, on dev eth0

not sure how or why but it does struck me that the mail servers i have
unexplained trouble with, have IP addresses starting with 192.112 and
192.113
the martian source can be suppressed by disabling the routefilter option
in /shorewall/interfaces and adding
"DROP:info        net:192.168.1.0/24         all"
in /shorewall/rules

but it does make me think that somehow 192.112.* is being seen as an
address in a private range, hence the martian notice.
at first i figured to have made some sloppy shorthand like 192.*
somewhere, but i can''t trace that back in any of my configs.


not sure what triggers it to send traffic to be send to  DMZ instead
of to NET. i do have a rfc1918 file with private ranges and no bogus ip 
ranges.

could it be another vserver advertising to listen on 192.*???

if anybody has a clue or direction to look for, much obliged.

randall

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

randall wrote:
> turns out that it is being blocked by my firewall.
> 
> i am running Debian Etch vservers with a private ip address like 
> 192.168.1.* in a DMZ and i
> do the routing via shorewall 4.08
Except in very limited circumstances (Entry in /etc/shorewall/proxyarp with 
HAVEROUTE set to No or entries in /etc/shorewall/providers), Shorewall has 
nothing to do with routing.
> 
> Shorewall:fw2dmz:REJECT:IN= OUT=dummy0 SRC=192.168.1.88 DST=192.112.***.**
> and also
> Jun  4 18:54:38 host kernel: martian source 192.168.1.88 from
> 192.112.***.**, on dev eth0
Which means that there is a route to 192.112.***.*** out of an interface 
other than eth0.

Hint: When you claim to have a routing problem, the output of ''ip route
ls''
is pretty much manditory. Better yet, when reporting a problem, follow the 
guidelines at http://www.shorewall.net/support.htm#Guidelines.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php