> One final suggestion -- you might consider checking the rulesets again
> (either in this fashion or the one Tom suggested, though I don't know
if
> I'll be able to interpret Shorewall-specific reports) after some time
has
> elapsed, just to be sure that the Samba retransmit failures have
actually
> occurred ... the packet counts in what you posted were generally low,
> implying that the firewall had not been active for very long, possibly
not
> long enough for the problem to occur.
>
[JShorewall-1.3.10 Status at firewall - Thu Dec 5 02:30:20 UTC 2002
Counters reset Thu Dec 5 01:15:12 UTC 2002
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- lo * 0.0.0.0/0
0.0.0.0/0
160 35256 ppp0_in ah -- ppp0 * 0.0.0.0/0
0.0.0.0/0
488 49761 eth1_in ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ppp_in ah -- ppp+ * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
339 16148 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
331K 487M ppp0_fwd ah -- ppp0 * 0.0.0.0/0
0.0.0.0/0
172K 6996K eth1_fwd ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ppp_fwd ah -- ppp+ * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 21 packets, 2208 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT ah -- * lo 0.0.0.0/0
0.0.0.0/0
17 3682 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
145 9073 fw2net ah -- * ppp0 0.0.0.0/0
0.0.0.0/0
340 34308 fw2loc ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 fw2loc ah -- * ppp+ 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
13 1014 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
224.0.0.0/4
2 120 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0
192.168.1.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
172K 6996K dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
172K 6996K loc2net ah -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 loc2loc ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 loc2loc ah -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
488 49761 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
488 49761 loc2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (2 references)
pkts bytes target prot opt in out source
destination
255 17273 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
85 17035 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:139
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp spt:137 dpts:1024:65535
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
2 80 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
143 8993 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
Chain loc2fw (2 references)
pkts bytes target prot opt in out source
destination
205 17905 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
7 424 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
233 29368 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:137
43 2064 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:139
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp spt:137 dpts:1024:65535
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2loc (4 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (2 references)
pkts bytes target prot opt in out source
destination
172K 6986K ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
46 1840 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
173 8304 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
331K 487M ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
19 1350 common ah -- * * 0.0.0.0/0
0.0.0.0/0
4 216 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
4 216 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
141 33906 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
19 1350 net2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (8 references)
pkts bytes target prot opt in out source
destination
46 1840 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
331K 487M dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
331K 487M net2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 net2all ah -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
160 35256 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
160 35256 net2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 loc2net ah -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 loc2loc ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 loc2loc ah -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain ppp_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 loc2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source
destination
2 120 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Dec 5 01:54:23 net2all:DROP:IN=ppp0 OUT= SRC=xxx.212.216.11
DST=xxx.193.187.112 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=34666 DF
PROTO=TCP SPT=3227 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 5 01:54:26 net2all:DROP:IN=ppp0 OUT= SRC=xxx.212.216.11
DST=xxx.193.187.112 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=35367 DF
PROTO=TCP SPT=3227 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 5 02:25:45 net2all:DROP:IN=ppp0 OUT= SRC=xxx.121.247.225
DST=xxx.193.187.112 LEN=60 TOS=0x10 PREC=0x00 TTL=52 ID=17398 DF
PROTO=TCP SPT=37688 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 5 02:26:23 net2all:DROP:IN=ppp0 OUT= SRC=xxx.52.72.215
DST=xxx.193.187.112 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=32962 DF
PROTO=TCP SPT=2539 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0
Chain PREROUTING (policy ACCEPT 317 packets, 19449 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 178 packets, 15635 bytes)
pkts bytes target prot opt in out source
destination
309 16945 ppp0_masq ah -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 176 packets, 15555 bytes)
pkts bytes target prot opt in out source
destination
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
164 7872 MASQUERADE ah -- * * 192.168.1.0/24
0.0.0.0/0
Chain PREROUTING (policy ACCEPT 504K packets, 495M bytes)
pkts bytes target prot opt in out source
destination
504K 495M pretos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 655 packets, 85815 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 503K packets, 494M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 530 packets, 50069 bytes)
pkts bytes target prot opt in out source
destination
503 47282 outtos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 504K packets, 495M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
17 848 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
20 1594 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 27 TIME_WAIT src=192.168.1.1 dst=192.168.1.254 sport=1568
dport=139 src=192.168.1.254 dst=192.168.1.1 sport=139 dport=1568
[ASSURED] use=1
tcp 6 29 TIME_WAIT src=192.168.1.1 dst=192.168.1.254 sport=1569
dport=139 src=192.168.1.254 dst=192.168.1.1 sport=139 dport=1569
[ASSURED] use=1
tcp 6 40 TIME_WAIT src=192.168.1.1 dst=192.168.1.254 sport=1570
dport=139 src=192.168.1.254 dst=192.168.1.1 sport=139 dport=1570
[ASSURED] use=1
tcp 6 42 TIME_WAIT src=192.168.1.1 dst=192.168.1.254 sport=1571
dport=139 src=192.168.1.254 dst=192.168.1.1 sport=139 dport=1571
[ASSURED] use=1
tcp 6 118 TIME_WAIT src=192.168.1.1 dst=192.168.1.254 sport=1572
dport=139 src=192.168.1.254 dst=192.168.1.1 sport=139 dport=1572
[ASSURED] use=1
udp 17 28 src=192.168.1.254 dst=192.168.1.1 sport=138 dport=138
[UNREPLIED] src=192.168.1.1 dst=192.168.1.254 sport=138 dport=138 use=1
udp 17 29 src=192.168.1.1 dst=192.168.1.255 sport=137 dport=137
[UNREPLIED] src=192.168.1.255 dst=192.168.1.1 sport=137 dport=137 use=1
udp 17 28 src=192.168.1.1 dst=192.168.1.255 sport=138 dport=138
[UNREPLIED] src=192.168.1.255 dst=192.168.1.1 sport=138 dport=138 use=1
Which place must I change?
My /etc/shorewall/ flies:
Shorewall 1.3.10
/etc/shorewall/interfaces
net ppp0 - noping
loc eth1 detect routestopped
loc ppp+
/etc/shorewall/policy
loc loc ACCEPT
loc net ACCEPT
net all DROP info
all all REJECT info
/etc/shorewall/rules
ACCEPT net fw tcp 1723
ACCEPT net fw 47 -
ACCEPT fw net 47 -
ACCEPT fw loc udp 137:139
ACCEPT fw loc tcp 137,139
ACCEPT fw loc udp 1024: 137
ACCEPT loc fw udp 137:139
ACCEPT loc fw tcp 137,139
ACCEPT loc fw udp 1024: 137
/etc/shorewall/masq
ppp0 eth1
/etc/shorewall/tunnels
pptpserver net 0.0.0.0/0
Thanks,
-Youngdo
-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET
comprehensive development tool, built to increase your
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
