schaffter ~ # /sbin/shorewall version
3.4.8
schaffter ~ # ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether ce:c2:15:ba:6a:75 brd ff:ff:ff:ff:ff:ff
3: eql: <MASTER> mtu 576 qdisc noop qlen 5
link/slip
4: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
link/void
5: tunl0: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
7: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
8: ip6tnl0: <NOARP> mtu 1460 qdisc noop
link/tunnel6 :: brd ::
9: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether fe:ff:00:00:50:d8 brd ff:ff:ff:ff:ff:ff
inet 80.68.91.163/32 scope global eth0
inet6 fe80::fcff:ff:fe00:50d8/64 scope link
valid_lft forever preferred_lft forever
schaffter ~ # ip route show
127.0.0.0/8 dev lo scope link
default dev eth0 scope link
schaffter.com is on address 80.68.91.163
schaffter.com runs gentoo linux under a UML (User Mode Linux) server.
In /etc/shorewall/shorewall.conf I can find the two rows:
RFC1918_LOG_LEVEL=info
RFC1918_STRICT=No
and of course much more.
On a general point of view, everything works fine.
My problem:
All traffic that we have tried from the external IP address
77.193.149.159 is rejected by my firewall, with messages looking like
Jul 7 19:26:27 schaffter kernel: Shorewall:rfc1918:DROP:IN=eth0
OUTMAC=fe:ff:00:00:50:d8:fe:ff:00:00:00:01:08:00 SRC=77.193.149.159
DST=80.68.91.163 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=1355 DF
PROTO=TCP SPT=1128 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
We have tried to send TCP traffic to port 80, UDP to port 53 and to ping.
All traffic from this source address is refused by my shorewall with
''rfc1918:DROP''.
To my understanding, the address 77.193.149.159 should not be an
''rfc1918 address'' and to my understanding it isn''t
mentioned
explicitly or implicitly in the rfc1918 file.
I have made no modifications to the /etc/shorewall/rfc1918 file myself.
Could someone please point me in the right direction so that I can
understand what''s going on ?
If I need to provide further information, please tell me what to include.
Best regards
Gus
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Gustav Schaffter wrote:> Could someone please point me in the right direction so that I can > understand what''s going on ?You probably have an /etc/shorewall/rfc1918 file that lists a whole bunch of non-RFC1918 addresses listed. Such files were used back in the dark ages of Shorewall''s existance but should have been removed from your systems years ago. You may also have /etc/shorewall/bogons -- if so, delete that as well. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Tom, Thanks for your quick answer. "You probably have an /etc/shorewall/rfc1918 file" True. I have now removed it. I''m still surprised, since the failing address wasn''t found explicitly or implicitly in that file. "Such files were used back in the dark ages of Shorewall''s existance" You make me feel old. ;-) "You may also have /etc/shorewall/bogons" Actually, i have a dim memory of having deleted that file long time ago. I will try from the offending (offended ?) address again tomorrow and will let you know the outcome. Again, thanks for your prompt help. Gustav On Mon, Jul 7, 2008 at 10:22 PM, Tom Eastep <teastep@shorewall.net> wrote:> Gustav Schaffter wrote: > >> Could someone please point me in the right direction so that I can >> understand what''s going on ? > > You probably have an /etc/shorewall/rfc1918 file that lists a whole bunch of > non-RFC1918 addresses listed. Such files were used back in the dark ages of > Shorewall''s existance but should have been removed from your systems years > ago. You may also have /etc/shorewall/bogons -- if so, delete that as well. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Tom, As I expected, after having followed your instructions in removing the old rfc1918 file, everything seems to work as it should. Thanks again for your prompt support. Regards Gustav On Mon, Jul 7, 2008 at 10:40 PM, Gustav Schaffter <gustav.schaffter@gmail.com> wrote:> Tom, > > Thanks for your quick answer. > > "You probably have an /etc/shorewall/rfc1918 file" > True. I have now removed it. I''m still surprised, since the failing > address wasn''t found explicitly or implicitly in that file. > > > "Such files were used back in the dark ages of Shorewall''s existance" > You make me feel old. ;-) > > > "You may also have /etc/shorewall/bogons" > Actually, i have a dim memory of having deleted that file long time ago. > > > I will try from the offending (offended ?) address again tomorrow and > will let you know the outcome. > > > Again, thanks for your prompt help. > Gustav > > > > On Mon, Jul 7, 2008 at 10:22 PM, Tom Eastep <teastep@shorewall.net> wrote: >> Gustav Schaffter wrote: >> >>> Could someone please point me in the right direction so that I can >>> understand what''s going on ? >> >> You probably have an /etc/shorewall/rfc1918 file that lists a whole bunch of >> non-RFC1918 addresses listed. Such files were used back in the dark ages of >> Shorewall''s existance but should have been removed from your systems years >> ago. You may also have /etc/shorewall/bogons -- if so, delete that as well. >> >> -Tom >> -- >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >> Shoreline, \ http://shorewall.net >> Washington USA \ teastep@shorewall.net >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >> >> >> ------------------------------------------------------------------------- >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >> Studies have shown that voting for your favorite open source project, >> along with a healthy diet, reduces your potential for chronic lameness >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08