Shorewall users - Apr 2011 - Non-Masqueraded Addresses in Packets Outside of Shorewall

First, thank you Tom.  Shorewall is terrific.  We installed it two weeks ago on
our Ubuntu firewall box and things went very smoothly.  We use a pretty
standard 3 zone firewall configuration with a DMZ zone and NAT-ing. The
documentation was extremely helpful and everything is working great...

...except...

We were tracking down a different issue yesterday using an external laptop with
Wireshark to examine packets as they come out of the firewall and noticed that
several times a second we get packets with a source address of 10.1.1.x (our
DMZ''s address space).

FWIW, here are the masq and nat settings we are currently using:

############################# masq ##########################
#INTERFACE		SOURCE		ADDRESS
eth0			10.1.1.0/24	66.150.___.___
eth1			10.9.9.0/24	detect

############################## nat #############################
#EXTERNAL	INTERFACE	INTERNAL	ALL?	LOCAL?
66.150.___.___	eth0		10.1.1.130	no	yes


Given that the link does over 400Megabits per second, that means that _most_ of
the packets are being translated correctly, but an interesting number of them
are "leaking" out with the 10.1.1.x source address.  Many of those are
RST
packets coming at the very end of a TCP conversation.  The frequency of these
10.1.1.x packets seems to be random.

If this is a common situation with an easy solution, my apologies but I
didn''t
find anything in the FAQs or the newsgroup archives.  (Coming up with a good,
selective search phrase for this issue was challenging.)

So my first question to the group is:  Have you heard of this kind of thing
before?  Is there an area/topic I should review closely to see if I made a 
Shorewall or sysctl config mistake?

If not, I''ll be happy to upload _all_ the gory details of our
configuration for
people to study.  I just wanted to quickly see if this rings a bell with anyone
first.

Thanks in advance,
- Chip




------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On 4/6/11 3:16 PM, Chip Anderson wrote:
> 
> Given that the link does over 400Megabits per second, that means that
_most_ of
> the packets are being translated correctly, but an interesting number of
them
> are "leaking" out with the 10.1.1.x source address.  Many of
those are RST
> packets coming at the very end of a TCP conversation.  The frequency of
these
> 10.1.1.x packets seems to be random.
> 
> If this is a common situation with an easy solution, my apologies but I
didn''t
> find anything in the FAQs or the newsgroup archives.  (Coming up with a
good,
> selective search phrase for this issue was challenging.)
> 
> So my first question to the group is:  Have you heard of this kind of thing
> before?  Is there an area/topic I should review closely to see if I made a 
> Shorewall or sysctl config mistake?
> 
> If not, I''ll be happy to upload _all_ the gory details of our
configuration for
> people to study.  I just wanted to quickly see if this rings a bell with
anyone
> first.
This is most likely due to the packets sent from the DMZ being
classified as ''invalid'' by Netfilter''s connection
tracker.

See if this rule doesn''t eliminate these packets:

	dropInvalid	dmz	net

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On 4/6/11 4:52 PM, Tom Eastep wrote:
> This is most likely due to the packets sent from the DMZ being
> classified as ''invalid'' by Netfilter''s
connection tracker.
>
> See if this rule doesn''t eliminate these packets:
>
>       dropInvalid     dmz     net
>
> -Tom

Thanks Tom.  That did the trick.

- Chip


------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev