I hope you can help me. I've been using ESb4 and its
predecessors for about two years and decided it's time
to upgrade to a more modern LEAF. I downloaded Bering
V1.0-rc3 and documentation and made the suggested
changes for my particular situation: several
workstations behind LEAF, which is handling the pppoe
connection to the ISP through the ADSL modem. No port
forwarding going on. The pppoe link came up without a
hitch but packet forwarding is not working.
Symptoms:
1. I can ping the firewall from a workstation and can
browse the weblet (nice improvements there, BTW).
2. I can ping the workstations and external sites from
the firewall.
3. I *can't* ping ("unreachable destination") external
sites by IP from the workstations through the
firewall. It also causes a reject in the logs. See
excerpt from logs below.
4. I *can't* ping (long delay and eventual "unknown
host xxxxxxx") an external site by name. It also
causes a flurry of rejects in the logs as dnscache
tries to hit the root nameservers (which seems at odds
with #2, above). See excerpt from logs below.
Examples from logs.
In response to ping from workstation, through
firewall, to internet by IP:
Aug 4 15:15:48 firewall kernel:
Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0
SRC=192.168.1.10 DST=64.58.76.223 LEN=84 TOS=0x00
PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=11272 SEQ=0
In response to ping from workstation, through
firewall, to internet by name:
Aug 4 15:17:31 firewall kernel:
Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90
DST=192.36.148.17 LEN=59 TOS=0x00 PREC=0x00 TTL=64
ID=60946 DF PROTO=UDP SPT=33411 DPT=53 LEN=39
Aug 4 15:17:31 firewall kernel:
Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90
DST=192.5.5.241 LEN=59 TOS=0x00 PREC=0x00 TTL=64
ID=53616 DF PROTO=UDP SPT=2809 DPT=53 LEN=39
... etc. ((many, many of these))
The only suspicious thing during bootup is a Shorewall
warning:
Setting up Kernel Route Filtering...
Warning: Cannot set route filtering on eth0
I went into /etc/shorewall/shorewall.conf and set
route filtering to "Yes" and that caused the warning
to go away. I also set clamp to MSS to "Yes" since the
documentation mentioned similar symptoms and that it
might be needed by braindead ISP using pppoe, which is
definately my situation. Neither change helped the
main problem, though.
Following is some diagnostics that I hope will help.
Please let me know if there's something else I should
be looking for. Hope it doesn't wrap too badly; I'm
using Yahoo mail.
-John
=============================================
Shorewall configuration data
---------------------------------------------
/etc/shorewall/shorewall.conf: (most comments deleted)
##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the
following variables to
##############################################################################
FW=fw
SUBSYSLOCK=/var/run/shorwall
STATEDIR=/var/lib/shorewall
ALLOWRELATED="yes"
MODULESDIR=""
LOGRATE=""
LOGBURST=""
LOGUNCLEAN=info
LOGFILE="/var/log/messages"
NAT_ENABLED="Yes"
MANGLE_ENABLED="Yes"
IP_FORWARDING="On"
ADD_IP_ALIASES="Yes"
ADD_SNAT_ALIASES="No"
TC_ENABLED="No"
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVEL=
CLAMPMSS="No"
ROUTE_FILTER="No"
NAT_BEFORE_RULES="Yes"
----------------------------------------------
/etc/shorewall/zones
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
------------------------------------------------
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
#net eth0 detect dhcp,routefilter,norfc1918
net eth0 detect routefilter,norfc1918
loc eth1 detect routestopped
-----------------------------------------------
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL
# PORT PORT(S)
DEST
# Accept DNS connections from the firewall to the
network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH connections from the local network for
administration
#
ACCEPT loc fw tcp 22
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
------------------------------------------------
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth1
=============================================
ESbeta4 versus Bering setup
OLD = ESbeta4 output
NEW = Bering v1.0-rc3 output
OLD ip route show
10.1.61.1 dev ppp0 proto kernel scope link src
138.88.7.20
192.168.1.0/24 dev eth1 proto kernel scope link src
192.168.1.254
default via 10.1.61.1 dev ppp0
NEW ip route show
10.1.61.1 dev ppp0 proto kernel scope link src
138.88.132.42
192.168.1.0/24 dev eth1 proto kernel scope link src
192.168.1.254
default via 10.1.61.1 dev ppp0
-------------------------------------------
OLD ip addr show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global
lo
2: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:0c:21:7f:ec brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope
global eth1
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492
qdisc pfifo_fast qlen 10
link/ppp
inet 138.88.7.20 peer 10.1.61.1/32 scope global
ppp0
NEW ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope
global eth1
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492
qdisc pfifo_fast qlen 3
link/ppp
inet 138.88.132.42 peer 10.1.61.1/32 scope global
ppp0
----------------------------------------------
OLD ip -s link show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
25240 252 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
25240 252 0 0 0 0
2: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:0c:21:7f:ec brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
0 0 0 0 0 0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
22409531 27249 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
1771691 18727 0 0 0 2
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
1778804 19448 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
22202377 27933 0 0 0 1
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492
qdisc pfifo_fast qlen 10
link/ppp
RX: bytes packets errors dropped overrun mcast
25561907 27245 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
1847337 18725 0 0 0 0
OLD ip -s link show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
28704 312 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
28704 312 0 0 0 0
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
0 0 0 0 0 0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:10:4b:00:64:c4 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
3368 56 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
1829 56 0 0 0 0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:60:08:08:78:81 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
21586 223 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
96004 192 0 0 0 0
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492
qdisc pfifo_fast qlen 3
link/ppp
RX: bytes packets errors dropped overrun mcast
114 3 0 0 0 0
TX: bytes packets errors dropped carrier
collsns
30 3 0 0 0 0
------------------------------------------------------
OLD /etc/nsswitch.conf
passwd: files
group: files
shadow: files
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files
NEW /etc/nsswitch.conf
passwd: files
group: files
shadow: files
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files
----------------------------------------------------
OLD /etc/resolv.conf
search private.network
nameserver 192.168.1.254
nameserver 127.0.0.1
NEW /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.1.254
---------------------------------------------------
OLD free
total: used: free: shared: buffers:
cached:
Mem: 15056896 13254656 1802240 7413760 4542464
2899968
Swap: 0 0 0
MemTotal: 14704 kB
MemFree: 1760 kB
MemShared: 7240 kB
Buffers: 4436 kB
Cached: 2832 kB
SwapTotal: 0 kB
SwapFree: 0 kB
NEW free
total used free
shared buffers
Mem: 14448 7460 6988
0 36
Swap: 0 0 0
Total: 14448 7460 6988
----------------------------------------------------
OLD df
Filesystem 1024-blocks Used Available
Capacity Mounted on
/dev/ram0 8102 4279 3823 53%
/
/dev/ram1 1009 31 978 3%
/var/log
NEW df
Filesystem 1k-blocks Used Available
Use% Mounted on
/dev/root 6144 3416 2728
56% /
tmpfs 7224 0 7224
0% /tmp
tmpfs 2048 204 1844
10% /var/log
-----------------------------------------------------
OLD firewall rules (most vertical white space removed)
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname
mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 ppp0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0
0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 ppp0
0.0.0.0/0 192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * ->
138:139
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 137:138 ->
*
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 137:139 ->
*
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0
204.108.8.0/24 0.0.0.0/0 * -> 22
0 0 ACCEPT tcp ------ 0xFF 0x00 ppp0
204.108.8.0/24 0.0.0.0/0 * -> 443
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 113
214 124K ACCEPT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * ->
1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * ->
161:162
0 0 DENY udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 67
34 8314 ACCEPT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * ->
1024:65535
7 588 ACCEPT icmp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * ->
161:162
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 161:162 ->
*
323 50124 ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname
mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
207 38892 MASQ all ------ 0xFF 0x00 ppp0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 21 packets, 1539 bytes):
pkts bytes target prot opt tosa tosx ifname
mark outsize
source destination ports
582 180K fairq all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 ppp0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 ppp0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * ->
138:139
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 137:138 ->
*
0 0 REJECT udp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 137:139 ->
*
0 0 REJECT tcp ------ 0xFF 0x00 ppp0
0.0.0.0/0 0.0.0.0/0 135 -> *
582 180K ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname
mark outsize
source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
48 3035 RETURN udp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
23 3374 RETURN udp ------ 0xFF 0x00 *
0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 *
0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 *
0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 *
0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 RETURN tcp ------ 0xFF 0x00 *
0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
PortFW:
prot localaddr rediraddr
lport rport pcnt pref
MarkFW:
fwmark rediraddr rport pcnt pref
AutoFW:
Type Prot Low High Vis Hid Where Last CPto
CPrt Timer Flags
NEW firewall rules
Shorewall-1.3.1 Chain at firewall - Sun Aug 4
15:39:54 UTC 2002
Chain INPUT (policy DROP 11 packets, 718 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- lo *
0.0.0.0/0 0.0.0.0/0
0 0 eth0_in ah -- eth0 *
0.0.0.0/0 0.0.0.0/0
0 0 eth1_in ah -- eth1 *
0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * *
0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:'
0 0 reject ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 TCPMSS tcp -- * *
0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 eth0_fwd ah -- eth0 *
0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd ah -- eth1 *
0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * *
0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * lo
0.0.0.0/0 0.0.0.0/0
0 0 DROP icmp -- * *
0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
0 0 fw2net ah -- * eth0
0.0.0.0/0 0.0.0.0/0
0 0 all2all ah -- * eth1
0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * *
0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * *
0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 common ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * *
0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'
0 0 reject ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0
tcp flags:0x10/0x10
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0
tcp flags:0x04/0x04
0 0 REJECT udp -- * *
0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with
icmp-port-unreachable
0 0 REJECT udp -- * *
0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * *
0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP ah -- * *
0.0.0.0/0 255.255.255.
255
0 0 DROP ah -- * *
0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * *
0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP ah -- * *
0.0.0.0/0 192.168.1.25
5
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 net2all ah -- * eth1
0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 net2all ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 loc2net ah -- * eth0
0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 loc2fw ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * *
0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * *
0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 all2all ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
icmp type 0
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
icmp type 4
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
icmp type 3
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0
icmp type 12
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * *
0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT udp -- * *
0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 all2all ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * *
0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain logdrop (7 references)
pkts bytes target prot opt in out source
destination
0 0 LOG ah -- * *
0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:'
0 0 DROP ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * *
0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 common ah -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * *
0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:'
0 0 DROP ah -- * *
0.0.0.0/0 0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * *
0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT ah -- * *
0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN ah -- * *
255.255.255.255 0.0.0.0/0
0 0 DROP ah -- * *
169.254.0.0/16 0.0.0.0/0
0 0 logdrop ah -- * *
0.0.0.0/8 0.0.0.0/0
0 0 logdrop ah -- * *
10.0.0.0/8 0.0.0.0/0
0 0 logdrop ah -- * *
127.0.0.0/8 0.0.0.0/0
0 0 logdrop ah -- * *
192.0.2.0/24 0.0.0.0/0
0 0 logdrop ah -- * *
192.168.0.0/16 0.0.0.0/0
0 0 logdrop ah -- * *
172.16.0.0/12 0.0.0.0/0
0 0 logdrop ah -- * *
240.0.0.0/4 0.0.0.0/0
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
