Shorewall users - Jun 2010 - shorewall 4.4.10: some http requests don't get answers

hi,

i use shorewall 4.4.10 on gentoo linux i686 with a quite simple setup.

1 isp (pppoe).
1 ethernet segment (eth1, masq, dhcp).
1 wlan segment (hostapd, wlan0, masq, dhcp).

since i mostly use squid for http, i didn''t notice the problem for
quite some time.
i used shorewall 4.4.2.1 before.
_some_ requests from the ethernet and wlan segments don''t get an
answer.
until now i am not aware of other protocols with the same behavior.
the same requests work from the firewall as expected.

e.g. (seaburg is a client on the eth1):

    ahuemer@seaburg ~ % curl -v "http://www.asterisk.org/"
    * About to connect() to www.asterisk.org port 80 (#0)
    *   Trying 216.207.245.33... connected
    * Connected to www.asterisk.org (216.207.245.33) port 80 (#0)
    > GET / HTTP/1.1
    > User-Agent: curl/7.20.1 (x86_64-pc-linux-gnu) libcurl/7.20.1
OpenSSL/0.9.8o zlib/1.2.5
    > Host: www.asterisk.org
    > Accept: */*
    >
    ^C
    ahuemer@seaburg ~ %

relevant config files and shorewall dump after reset and failing curl are
attached.

thanks for the help in advance.
i''ll provide all info that is needed. please ask.
kind regards

-alex

P.S.

i use shorewall6 too, because i use a SIXXS prefix. i don''t know if
that''s relevant.



------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

On 6/22/10 6:17 AM, Alexander Huemer wrote:
> hi,
> 
> i use shorewall 4.4.10 on gentoo linux i686 with a quite simple setup.
> 
> 1 isp (pppoe).
> 1 ethernet segment (eth1, masq, dhcp).
> 1 wlan segment (hostapd, wlan0, masq, dhcp).
> 
> since i mostly use squid for http, i didn''t notice the problem for
quite some time.
> i used shorewall 4.4.2.1 before.
> _some_ requests from the ethernet and wlan segments don''t get an
answer.
> until now i am not aware of other protocols with the same behavior.
> the same requests work from the firewall as expected.
Please see if the solution in Shorewall FAQ 33 corrects this problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

Problem solved. I overlooked that in the FAQ.
Thanks a lot for the quick help.

-Alex

On 22.06.2010 17:17, Tom Eastep wrote:
> On 6/22/10 6:17 AM, Alexander Huemer wrote:
>> hi,
>>
>> i use shorewall 4.4.10 on gentoo linux i686 with a quite simple setup.
>>
>> 1 isp (pppoe).
>> 1 ethernet segment (eth1, masq, dhcp).
>> 1 wlan segment (hostapd, wlan0, masq, dhcp).
>>
>> since i mostly use squid for http, i didn''t notice the problem
for quite some time.
>> i used shorewall 4.4.2.1 before.
>> _some_ requests from the ethernet and wlan segments don''t get
an answer.
>> until now i am not aware of other protocols with the same behavior.
>> the same requests work from the firewall as expected.
> 
> Please see if the solution in Shorewall FAQ 33 corrects this problem.
> 
> -Tom
> 
> 
> 
>
------------------------------------------------------------------------------
> ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
> GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
> lucky parental unit.  See the prize list and enter to win: 
> http://p.sf.net/sfu/thinkgeek-promo
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo