He''s the short I have a Dns Server running on my firewall box, as you can see below I''m allowing all my clients on the local subnet to reach the $fw box to resolve the DNS but the firewall thinks it''s NET traffic not LOC traffic. Any suggestions. Running Suse 11 with Shorewall 4.2 w/perl. Tried 4.4 and the same issue, HELP!!!!! ----------------Firewall Log ---------------- Aug 31 16:51:24 fw22 kernel: Shorewall:net2fw:DROP:IN=eth5 OUT= MAC=00:0c:29:74:9c:0c:08:00:20:b2:5f:db:08:00 SRC=10.1.50.14 DST=10.1.50.7 LEN=57 TOS=0x00 PREC=0x00 TTL=255 ID=32302 DF PROTO=UDP SPT=53289 DPT=53 LEN=37 -----------------Zone File------------------ #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS net ipv4 loc ipv4 loc1 ipv4 fw firewall -----------------Interfaces ----------------#ZONE INTERFACE BROADCAST OPTIONS net eth2 detect routeback,tcpflags loc eth0 detect loc1 eth1 detect -----------------Policy-------------------# LEVEL net all DROP info $FW loc ACCEPT info $FW loc1 ACCEPT info loc $FW ACCEPT info loc1 $FW ACCEPT info loc1 loc ACCEPT info loc loc1 ACCEPT info # ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2009 02:07 PM, Surge wrote:> He''s the short I have a Dns Server running on my firewall box, as you > can see below I''m allowing all my clients on the local subnet to > reach the $fw box to resolve the DNS but the firewall thinks it''s NET > traffic not LOC traffic. Any suggestions. > > Running Suse 11 with Shorewall 4.2 w/perl. Tried 4.4 and the same > issue, HELP!!!!! > > ----------------Firewall Log ---------------- > > Aug 31 16:51:24 fw22 kernel: Shorewall:net2fw:DROP:IN=eth5 OUT> MAC=00:0c:29:74:9c:0c:08:00:20:b2:5f:db:08:00 SRC=10.1.50.14 > DST=10.1.50.7 LEN=57 TOS=0x00 PREC=0x00 TTL=255 ID=32302 DF PROTO=UDP > SPT=53289 DPT=53 LEN=37That traffic is entering your firewall on eth5 which isn''t even mentioned in your interfaces file. Do you have the local network bridged to an unused firewall interface? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqcPeoACgkQO/MAbZfjDLIbwwCfcBXCWeBmhmc5brInXpIaQq1h B2MAnRhyz3wmiVLPUg+Oa7Z5pMPHsdoE =s4HK -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Sorry I sent the old interface config here''s the correct one! Shorewall 4.2.10 and Shorewall -perl 4.2.10.3 -----------------Interfaces ----------------#ZONE INTERFACE BROADCAST OPTIONS net eth5 detect routeback,tcpflags loc eth3 detect loc1 eth4 detect ________________________________ From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Monday, August 31, 2009 5:17:30 PM Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2009 02:07 PM, Surge wrote:> He''s the short I have a Dns Server running on my firewall box, as you > can see below I''m allowing all my clients on the local subnet to > reach the $fw box to resolve the DNS but the firewall thinks it''s NET > traffic not LOC traffic. Any suggestions. > > Running Suse 11 with Shorewall 4.2 w/perl. Tried 4.4 and the same > issue, HELP!!!!! > > ----------------Firewall Log ---------------- > > Aug 31 16:51:24 fw22 kernel: Shorewall:net2fw:DROP:IN=eth5 OUT> MAC=00:0c:29:74:9c:0c:08:00:20:b2:5f:db:08:00 SRC=10.1.50.14 > DST=10.1.50.7 LEN=57 TOS=0x00 PREC=0x00 TTL=255 ID=32302 DF PROTO=UDP > SPT=53289 DPT=53 LEN=37That traffic is entering your firewall on eth5 which isn''t even mentioned in your interfaces file. Do you have the local network bridged to an unused firewall interface? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqcPeoACgkQO/MAbZfjDLIbwwCfcBXCWeBmhmc5brInXpIaQq1h B2MAnRhyz3wmiVLPUg+Oa7Z5pMPHsdoE =s4HK -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2009 02:34 PM, Surge wrote:> Sorry I sent the old interface config here''s the correct one! Shorewall > 4.2.10 and Shorewall -perl 4.2.10.3 > > > -----------------Interfaces ---------------- > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth5 detect routeback,tcpflags > > loc eth3 detect > > loc1 eth4 detectThis indicates that eth5 is bridged to eth3 or eth4. Are two or more firewall interfaces connected to the same switch/hub? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqcQ7gACgkQO/MAbZfjDLIp5gCeIlF9KTBnBUboX5QR1XmL3Svf vIcAn1kY1v5QnlZghlxcwCo/N2kA9vL3 =d/4E -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Let me check but I don''t think so we use to have VLAN''s before on a switch hosted to local lan''s 192.168.2.0 and 10.1.50.0. I will check but I believe they are now independant, and the WAN (eth5) is definetly on a different hub. ________________________________ From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Monday, August 31, 2009 5:42:16 PM Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2009 02:34 PM, Surge wrote:> Sorry I sent the old interface config here''s the correct one! Shorewall > 4.2.10 and Shorewall -perl 4.2.10.3 > > > -----------------Interfaces ---------------- > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth5 detect routeback,tcpflags > > loc eth3 detect > > loc1 eth4 detectThis indicates that eth5 is bridged to eth3 or eth4. Are two or more firewall interfaces connected to the same switch/hub? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqcQ7gACgkQO/MAbZfjDLIp5gCeIlF9KTBnBUboX5QR1XmL3Svf vIcAn1kY1v5QnlZghlxcwCo/N2kA9vL3 =d/4E -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
I checked as mentioned it''s not on the same hub/switch. Any other ideas or suggestions ? ________________________________ From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Monday, August 31, 2009 5:42:16 PM Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2009 02:34 PM, Surge wrote:> Sorry I sent the old interface config here''s the correct one! Shorewall > 4.2.10 and Shorewall -perl 4.2.10.3 > > > -----------------Interfaces ---------------- > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth5 detect routeback,tcpflags > > loc eth3 detect > > loc1 eth4 detectThis indicates that eth5 is bridged to eth3 or eth4. Are two or more firewall interfaces connected to the same switch/hub? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqcQ7gACgkQO/MAbZfjDLIp5gCeIlF9KTBnBUboX5QR1XmL3Svf vIcAn1kY1v5QnlZghlxcwCo/N2kA9vL3 =d/4E -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Surge wrote:> I checked as mentioned it''s not on the same hub/switch. Any other ideas > or suggestions ?Then you had better check that the hubs/switches that they are connected to are not themselves connected. The only possible explanation for packets from 10.1.50.0/24 arriving on eth5 is that the subnet is connected to eth5 either directly or indirectly. I suggest that you: tcpdump -nei eth5 net 10.1.50.0/24 Look at the packets and check the source MAC address. If different hosts are sending packets with the same MAC source then the host with the sending MAC is routing the packets to you. If the MAC addresses match the sending hosts'' real MACs, then 10.1.50.0/24 is bridged to eth5 in some way. Note that the traffic from 10.1.50.0/24 may be intermittent through eth5; that is because of what I call ''ARP Roulette'' (see http://www.shorewall.net/FoolsFirewall.html for additional information). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Hi, This is what I found when I ran the tcpdump on the firewall. It looks like the Suse Linux box is getting request to the external interface by the Sun box. I''m a bit more confused now than before..... 16:38:59.262393 00:03:ba:1b:95:10 > 00:0c:29:74:9c:0c, ethertype IPv4 (0x0800), length 69: 10.1.50.10.39371 > 10.1.50.7.53: 20785+ A? yahoo.com. (27) 16:38:59.619216 00:80:64:20:eb:85 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 296: 10.1.50.198.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:80: 64:20:eb:85, length 254 Here is the ipconfig -all of the firewall, the netstat -rn shows default route 10.1.50.7 and the resolv.conf has 10.1.50.7 ----------Firewall --------------------- eth3 Link encap:Ethernet HWaddr 00:0C:29:74:9C:F8 inet addr:10.1.50.7 Bcast:10.1.50.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:164507 errors:0 dropped:0 overruns:0 frame:0 TX packets:42921 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:19329107 (18.4 Mb) TX bytes:14528295 (13.8 Mb) Interrupt:18 Base address:0x1400 eth4 Link encap:Ethernet HWaddr 00:0C:29:74:9C:02 inet addr:192.168.2.7 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13600 errors:0 dropped:0 overruns:0 frame:0 TX packets:318 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1055431 (1.0 Mb) TX bytes:17689 (17.2 Kb) Interrupt:19 Base address:0x1480 eth5 Link encap:Ethernet HWaddr 00:0C:29:74:9C:0C inet addr:74.2.235.59 Bcast:74.2.235.63 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:172988 errors:0 dropped:0 overruns:0 frame:0 TX packets:24787 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:31690672 (30.2 Mb) TX bytes:4432651 (4.2 Mb) Interrupt:16 Base address:0x1800 Here is the ipconfig -a for the box that I''ve been testing that has issue doing a DNS query ----------Client------------------- ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.2.10 netmask ffffff00 broadcast 192.168.2.255 ether 0:3:ba:1b:95:1e ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.3.11 netmask ffffff00 broadcast 192.168.3.255 ether 0:3:ba:1b:95:1f ce6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 10.1.50.10 netmask ffffff00 broadcast 10.1.50.255 ether 0:3:ba:1b:95:10 ________________________________ From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Tuesday, September 1, 2009 1:35:00 PM Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic Surge wrote:> I checked as mentioned it''s not on the same hub/switch. Any other ideas > or suggestions ?Then you had better check that the hubs/switches that they are connected to are not themselves connected. The only possible explanation for packets from 10.1.50.0/24 arriving on eth5 is that the subnet is connected to eth5 either directly or indirectly. I suggest that you: tcpdump -nei eth5 net 10.1.50.0/24 Look at the packets and check the source MAC address. If different hosts are sending packets with the same MAC source then the host with the sending MAC is routing the packets to you. If the MAC addresses match the sending hosts'' real MACs, then 10.1.50.0/24 is bridged to eth5 in some way. Note that the traffic from 10.1.50.0/24 may be intermittent through eth5; that is because of what I call ''ARP Roulette'' (see http://www.shorewall.net/FoolsFirewall.html for additional information). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/01/2009 01:52 PM, Surge wrote:> Hi, > > This is what I found when I ran the tcpdump on the firewall. It looks > like the Suse Linux box is getting request to the external interface by > the Sun box."The Sun box" doesn''t mean anything to us -- but I''m guessing that it is the box with MAC address 00:03:ba:1b:95:10 since that is a Sun MAC. I''m a bit more confused now than before.....> > 16:38:59.262393 00:03:ba:1b:95:10 > 00:0c:29:74:9c:0c, ethertype IPv4 > (0x0800), > length 69: 10.1.50.10.39371 > 10.1.50.7.53: 20785+ A? yahoo.com. (27)> 16:38:59.619216 00:80:64:20:eb:85 > ff:ff:ff:ff:ff:ff, ethertype IPv4 > (0x0800), > length 296: 10.1.50.198.68 > 255.255.255.255.67: BOOTP/DHCP, Request > from 00:80: > 64:20:eb:85, length 254The sending MAC addresses are different.> > Here is the ipconfig -all of the firewall, the netstat -rn shows default > route 10.1.50.7 and the resolv.conf has 10.1.50.7 > ----------Firewall --------------------- > eth3 Link encap:Ethernet HWaddr 00:0C:29:74:9C:F8 > inet addr:10.1.50.7 Bcast:10.1.50.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:164507 errors:0 dropped:0 overruns:0 frame:0 > TX packets:42921 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:19329107 (18.4 Mb) TX bytes:14528295 (13.8 Mb) > Interrupt:18 Base address:0x1400 > eth4 Link encap:Ethernet HWaddr 00:0C:29:74:9C:02 > inet addr:192.168.2.7 Bcast:192.168.2.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:13600 errors:0 dropped:0 overruns:0 frame:0 > TX packets:318 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:1055431 (1.0 Mb) TX bytes:17689 (17.2 Kb) > Interrupt:19 Base address:0x1480 > eth5 Link encap:Ethernet HWaddr 00:0C:29:74:9C:0C > inet addr:74.2.235.59 Bcast:74.2.235.63 Mask:255.255.255.240 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:172988 errors:0 dropped:0 overruns:0 frame:0 > TX packets:24787 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:31690672 (30.2 Mb) TX bytes:4432651 (4.2 Mb) > Interrupt:16 Base address:0x1800 > > Here is the ipconfig -a for the box that I''ve been testing that has > issue doing a DNS query > ----------Client------------------- > ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 > inet 192.168.2.10 netmask ffffff00 broadcast 192.168.2.255 > ether 0:3:ba:1b:95:1e > ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 > inet 192.168.3.11 netmask ffffff00 broadcast 192.168.3.255 > ether 0:3:ba:1b:95:1f > ce6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 > inet 10.1.50.10 netmask ffffff00 broadcast 10.1.50.255 > ether 0:3:ba:1b:95:10--------------- I assume that this Sun system is connected through eth3 on the SuSE system? So how can you explain these packets arriving on eth5 other than that eth3 and eth5 are bridged? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqdkKsACgkQO/MAbZfjDLJBSACgkWoXAob4Yo8onaeGYmi35oDg e5gAoLgQxHCM6qil444/D5LzJlb4LnbP =okE2 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Hi, I agree with you. But it''s odd because I can''t find where on the network I would have this.... here''s the run down of what I have. I have 2 locations where I have routers in my building. Room 1 has a router for the 192.168.2.0, same room another router for the 10.1.50.0. and another router for the 74.2.235.0. They all have a link to my warehouse - Room 2, which has a router for the 74.2.235.0, same room another route with 24 ports, 12 ports are configured for the 192.168.2.0, and the other 10.1.50.0. Now just for grins I also disabled some policies in the policy file, now I should be able to ping between 192.168.2.0 and 10.1.50.0. Even though I understand that we a re looking for the culprit which is creating a bridge between the 74.2.235.0 and 10.1.50.0, right? -------Policy--------- net all DROP info $FW loc ACCEPT info $FW loc1 ACCEPT info loc $FW ACCEPT info loc1 $FW ACCEPT info #loc1 loc ACCEPT info (Disabled) #loc loc1 ACCEPT info (Disabled) Thanks ________________________________ From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Tuesday, September 1, 2009 5:22:52 PM Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/01/2009 01:52 PM, Surge wrote:> Hi, > > This is what I found when I ran the tcpdump on the firewall. It looks > like the Suse Linux box is getting request to the external interface by > the Sun box."The Sun box" doesn''t mean anything to us -- but I''m guessing that it is the box with MAC address 00:03:ba:1b:95:10 since that is a Sun MAC. I''m a bit more confused now than before.....> > 16:38:59.262393 00:03:ba:1b:95:10 > 00:0c:29:74:9c:0c, ethertype IPv4 > (0x0800), > length 69: 10.1.50.10.39371 > 10.1.50.7.53: 20785+ A? yahoo.com. (27)> 16:38:59.619216 00:80:64:20:eb:85 > ff:ff:ff:ff:ff:ff, ethertype IPv4 > (0x0800), > length 296: 10.1.50.198.68 > 255.255.255.255.67: BOOTP/DHCP, Request > from 00:80: > 64:20:eb:85, length 254The sending MAC addresses are different.> > Here is the ipconfig -all of the firewall, the netstat -rn shows default > route 10.1.50.7 and the resolv.conf has 10.1.50.7 > ----------Firewall --------------------- > eth3 Link encap:Ethernet HWaddr 00:0C:29:74:9C:F8 > inet addr:10.1.50.7 Bcast:10.1.50.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:164507 errors:0 dropped:0 overruns:0 frame:0 > TX packets:42921 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:19329107 (18.4 Mb) TX bytes:14528295 (13.8 Mb) > Interrupt:18 Base address:0x1400 > eth4 Link encap:Ethernet HWaddr 00:0C:29:74:9C:02 > inet addr:192.168.2.7 Bcast:192.168.2.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:13600 errors:0 dropped:0 overruns:0 frame:0 > TX packets:318 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:1055431 (1.0 Mb) TX bytes:17689 (17.2 Kb) > Interrupt:19 Base address:0x1480 > eth5 Link encap:Ethernet HWaddr 00:0C:29:74:9C:0C > inet addr:74.2.235.59 Bcast:74.2.235.63 Mask:255.255.255.240 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:172988 errors:0 dropped:0 overruns:0 frame:0 > TX packets:24787 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:31690672 (30.2 Mb) TX bytes:4432651 (4.2 Mb) > Interrupt:16 Base address:0x1800 > > Here is the ipconfig -a for the box that I''ve been testing that has > issue doing a DNS query > ----------Client------------------- > ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 > inet 192.168.2.10 netmask ffffff00 broadcast 192.168.2.255 > ether 0:3:ba:1b:95:1e > ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 > inet 192.168.3.11 netmask ffffff00 broadcast 192.168.3.255 > ether 0:3:ba:1b:95:1f > ce6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 > inet 10.1.50.10 netmask ffffff00 broadcast 10.1.50.255 > ether 0:3:ba:1b:95:10--------------- I assume that this Sun system is connected through eth3 on the SuSE system? So how can you explain these packets arriving on eth5 other than that eth3 and eth5 are bridged? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqdkKsACgkQO/MAbZfjDLJBSACgkWoXAob4Yo8onaeGYmi35oDg e5gAoLgQxHCM6qil444/D5LzJlb4LnbP =okE2 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Surge wrote:> Hi, > I agree with you. But it''s odd because I can''t find where on the > network I would have this.... here''s the run down of what I have. > > I have 2 locations where I have routers in my building. Room 1 has a > router for the 192.168.2.0, same room another router for the 10.1.50.0. > and another router for the 74.2.235.0. They all have a link to my > warehouse - Room 2, which has a router for the 74.2.235.0, same room > another route with 24 ports, 12 ports are configured for the > 192.168.2.0, and the other 10.1.50.0. > > Now just for grins I also disabled some policies in the policy file, now > I should be able to ping between 192.168.2.0 and 10.1.50.0. Even though > I understand that we a re looking for the culprit which is creating a > bridge between the 74.2.235.0 and 10.1.50.0, right?If you want to test without the bridging getting in the way, set arp_filter=1 on your interfaces (/etc/shorewall/interfaces). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Hi Tom, Thanks! you were right all this time, we had a router in a back room which was the culprit. It was the bridge between the 10.1.50.0 and the 74.2.235.0. Shut it off, and scenario is fix, thanks for your time and patience. Thanks again ________________________________ From: Tom Eastep <teastep@shorewall.net> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Wednesday, September 2, 2009 11:45:28 AM Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic Surge wrote:> Hi, > I agree with you. But it''s odd because I can''t find where on the > network I would have this.... here''s the run down of what I have. > > I have 2 locations where I have routers in my building. Room 1 has a > router for the 192.168.2.0, same room another router for the 10.1.50.0. > and another router for the 74.2.235.0. They all have a link to my > warehouse - Room 2, which has a router for the 74.2.235.0, same room > another route with 24 ports, 12 ports are configured for the > 192.168.2.0, and the other 10.1.50.0. > > Now just for grins I also disabled some policies in the policy file, now > I should be able to ping between 192.168.2.0 and 10.1.50.0. Even though > I understand that we a re looking for the culprit which is creating a > bridge between the 74.2.235.0 and 10.1.50.0, right?If you want to test without the bridging getting in the way, set arp_filter=1 on your interfaces (/etc/shorewall/interfaces). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Surge wrote:> Thanks! you were right all this time, we had a router in a back room > which was the culprit. It was the bridge between the 10.1.50.0 and the > 74.2.235.0. Shut it off, and scenario is fix, thanks for your time and > patience.You are welcome -- glad to hear that you got it sorted out. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july