Hi,
My firewall is a machine running Debian Squeeze with shorewall 4.4.11.6.
/etc/shorewall/policy says this:
loc $FW ACCEPT
loc loc ACCEPT
loc net ACCEPT
$FW net ACCEPT
$FW loc ACCEPT
net all DROP # info
all all REJECT # warn
I have an ipod touch on 192.168.10.20. It has Skype for the iphone/ipod
on it. when skype is connected a get a lot of messages in the log like
this:
[2824567.893299] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
ID=44929 DF PROTO=TCP SPT=51608 DPT=443 WINDOW=65535 RES=0x00 SYN FIN
URGP=0
[2824568.296145] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
ID=23783 DF PROTO=TCP SPT=51606 DPT=58824 WINDOW=65535 RES=0x00 SYN FIN
URGP=0
[2824568.498059] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
ID=37853 DF PROTO=TCP SPT=51609 DPT=80 WINDOW=65535 RES=0x00 SYN FIN URGP=0
I find this a bit weird due to the policy saying connections from
"loc"
to "net" should be accepted, so I''m guessing it has to do
with the "SYN
FIN" flags on the packets? How would I allow these packets through?
I''ve tried googling this and I''m not having any luck. I also
tried some
stuff with my rules file but it doesn''t seem to change anything.
Thanks,
Dale
Additional info as requested:
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:25:22:20:ed:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 brd 192.168.10.255 scope global eth0
inet6 fe80::225:22ff:fe20:ede0/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:50:43:00:9c:51 brd ff:ff:ff:ff:ff:ff
inet 64.30.73.192/20 brd 64.30.79.255 scope global eth1
inet6 fe80::250:43ff:fe00:9c51/64 scope link
valid_lft forever preferred_lft forever
# ip route show
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.1
64.30.64.0/20 dev eth1 proto kernel scope link src 64.30.73.192 metric
1
default via 64.30.64.1 dev eth1 proto static
--
Dale E. Martin - dale@the-martins.org
http://the-martins.org/~dmartin
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
On 3/13/11 9:10 AM, Dale E. Martin wrote:> > I have an ipod touch on 192.168.10.20. It has Skype for the iphone/ipod > on it. when skype is connected a get a lot of messages in the log like > this: > [2824567.893299] Shorewall:logflags:DROP:IN=eth0 OUT=eth1 > SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63 > ID=44929 DF PROTO=TCP SPT=51608 DPT=443 WINDOW=65535 RES=0x00 SYN FIN > URGP=0 > [2824568.296145] Shorewall:logflags:DROP:IN=eth0 OUT=eth1 > SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63 > ID=23783 DF PROTO=TCP SPT=51606 DPT=58824 WINDOW=65535 RES=0x00 SYN FIN > URGP=0 > [2824568.498059] Shorewall:logflags:DROP:IN=eth0 OUT=eth1 > SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63 > ID=37853 DF PROTO=TCP SPT=51609 DPT=80 WINDOW=65535 RES=0x00 SYN FIN URGP=0 > > I find this a bit weird due to the policy saying connections from "loc" > to "net" should be accepted, so I''m guessing it has to do with the "SYN > FIN" flags on the packets? How would I allow these packets through? > I''ve tried googling this and I''m not having any luck. I also tried some > stuff with my rules file but it doesn''t seem to change anything.From Shorewall FAQ 17: logflags The packet is being logged because it failed the checks implemented by the tcpflags interface option. So if you want to allow those bogus packets, turn off ''tcpflags'' on eth0. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/13/2011 12:46 PM, Tom Eastep wrote:> > From Shorewall FAQ 17: > > logflags > > The packet is being logged because it failed the checks > implemented by the tcpflags interface option. > > So if you want to allow those bogus packets, turn off ''tcpflags'' on eth0. >Any idea if this is "normal" for Skype? I''m surprised to not find more info about it on google. I hate to turn this off for the whole interface - it looks like I can''t do it just for the affected IPs on that interface? Thanks, Dale ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
On 3/14/11 5:41 PM, Dale E. Martin wrote:> On 3/13/2011 12:46 PM, Tom Eastep wrote: >> >> From Shorewall FAQ 17: >> >> logflags >> >> The packet is being logged because it failed the checks >> implemented by the tcpflags interface option. >> >> So if you want to allow those bogus packets, turn off ''tcpflags'' on eth0. >> > Any idea if this is "normal" for Skype? I''m surprised to not find more > info about it on google.No idea.> > I hate to turn this off for the whole interface - it looks like I can''t > do it just for the affected IPs on that interface?No you cannot. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
"Dale E. Martin" <dale@the-martins.org> wrote:>On 3/13/2011 12:46 PM, Tom Eastep wrote: >> >> From Shorewall FAQ 17: >> >> logflags >> >> The packet is being logged because it failed the checks >> implemented by the tcpflags interface option. >> >> So if you want to allow those bogus packets, turn off ''tcpflags'' on >eth0. >> >Any idea if this is "normal" for Skype? I''m surprised to not find more >info about it on google. > >I hate to turn this off for the whole interface - it looks like I can''t >do it just for the affected IPs on that interface? >Tcpflags is highlighting the fact that there are certain combinations of TCP flags which are known to be illegal. The question here is whether skype is working correctly for you. If it is then you shouldnt be worrying about how to let these packets through. I have a skype phone and I get these flags too but my testing has shown that it works perfectly. What I do when setting up rules is to find the firewall settings or port details for the application and create the rules based on that. Any packets denied after that can be safely ignored as they havnt been listed by the vendor. Cillian>Thanks, > Dale > > > >------------------------------------------------------------------------------ >Colocation vs. Managed Hosting >A question and answer guide to determining the best fit >for your organization - today and in the future. >http://p.sf.net/sfu/internap-sfd2d >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d