I have a really odd problem. When I ping from a host behind my shorewall router, the first packet is lost. After that, the packets seem to route properly. An example of the tcpdump session is below, where local host is 172.16.5.178, shorewall router is 199.199.199.2, and far host is 151.164.1.8. 20:01:04.819745 IP 172.16.5.178 > 151.164.1.8: ICMP echo request, id 1, seq 107,length 40 20:01:09.439000 IP 172.16.5.178 > 151.164.1.8: ICMP echo request, id 1, seq 108,length 40 20:01:09.439240 IP 199.199.199.2 > 151.164.1.8: ICMP echo request, id 1, seq 108, length 40 20:01:09.456248 IP 151.164.1.8 > 199.199.199.2: ICMP echo reply, id 1, seq 108, length 40 20:01:09.456425 IP 151.164.1.8 > 172.16.5.178: ICMP echo reply, id 1, seq 108, length 40 20:01:10.438014 IP 172.16.5.178 > 151.164.1.8: ICMP echo request, id 1, seq 109,length 40 20:01:10.438130 IP 199.199.199.2 > 151.164.1.8: ICMP echo request, id 1, seq 109, length 40 20:01:10.453801 IP 151.164.1.8 > 199.199.199.2: ICMP echo reply, id 1, seq 109, length 40 20:01:10.453923 IP 151.164.1.8 > 172.16.5.178: ICMP echo reply, id 1, seq 109, length 40 I am using shorewall v 4.4.14 and Centos 5.3 /c kernel 2.6.18-194.26.1.el5 Any ideas what I should look for? I did try the same thing from the shorewall firewall itself, and all packets go just fine. Thanks, Ronnie ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
On 11/26/10 5:53 PM, Red Baron wrote:> > Any ideas what I should look for? I did try the same thing from the > shorewall firewall itself, and all packets go just fine.I really have no idea what would cause this. I''ve seen it with IPSEC tunneling but not with simply forwarding. Given your ancient distribution, the only available debugging tool in Shorewall is to set LOGALLNEW=info in shorewall.conf, restart Shorewall then ping. Set LOGALLNEW=, restart Shorewall again, then look at the log to see how far the first packet got. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
This server is running IPSec but oe is disabled and this host is not an IPSec zone. I will try your suggestions. Thx On Nov 27, 2010, at 10:17 AM, Tom Eastep <teastep@shorewall.net> wrote:> On 11/26/10 5:53 PM, Red Baron wrote: > >> >> Any ideas what I should look for? I did try the same thing from the >> shorewall firewall itself, and all packets go just fine. > > I really have no idea what would cause this. I''ve seen it with IPSEC > tunneling but not with simply forwarding. > > Given your ancient distribution, the only available debugging tool in > Shorewall is to set LOGALLNEW=info in shorewall.conf, restart Shorewall > then ping. Set LOGALLNEW=, restart Shorewall again, then look at the log > to see how far the first packet got. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
On 11/27/10 9:20 AM, Red Baron wrote:> This server is running IPSec but oe is disabled and this host is not > an IPSec zone. I will try your suggestions. ThxOne more thought -- try using the -e option to tcpdump and confirm that the first packet has the correct L2 destination address (MAC). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev