I've somehow managed to break Bittorrent downloads on my firewall. I had it all working before, but now downloads have slowed to a crawl and I am getting thousands of rejected packet messages in my log file that look like this:
|Dec 8 05:37:59 creaky Shorewall:all2all:REJECT: IN=eth1 OUT= MAC=00:40:f4:19:d7:a0:00:05:5d:d2:6d:e6:08:00 SRC=192.168.1.17 <http://192.168.1.17> DST=216.138.194.169 <http://216.138.194.169> LEN=48 TOS=00 PREC=0x00 TTL=128 ID=46728 CE DF PROTO=TCP SPT=4488 DPT=18995 SEQ=2541448999 ACK=0 WINDOW=65535 SYN URGP=0 | I'm also getting large numbers of ones like this: |Dec 8 05:39:29 creaky Shorewall:net2all:DROP: IN=ppp0 OUT= MAC= SRC=72.56.66.199 <http://72.56.66.199> DST=216.138.194.169 <http://216.138.194.169> LEN=76 TOS=00 PREC=0x00 TTL=53 ID=32055 PROTO=ICMP TYPE=3 CODE=1 Clearly I've misconfigured something, but I'm not sure what. Here's my setup: I have LEAF running on an old 486 box (creaky) at 192.168.1.254 <http://192.168.1.254>, while my bittorrent client (bitcomet, if it matters) is running at 192.168.1.17 <http://192.168.1.17> (binky). I have a single static IP address (216.138.194.169 <http://216.138.194.169>), so I'm using DNAT in shorewall to forward port 18995 (which bitcommet is configured to listen on) to binky. The local network is on eth1, while my ADSL modem is connected to eth0. I'm not sure what version of LEAF I am using (nor how to find out) but its certainly not the latest. The version of Shorewall its using is 1.4.10c, which is rather old I know, but this setup did work once before. I would be willing to upgrade if necessary, but I've been reluctant to bring down the network long enough to do so (my wife has her business on the local net.) Anyway, there is the added complication that since I sometimes use binky for other p2p tasks, its in a nested zone (locs) inside my main internal zone (loc). Here are the, I believe, relevant snippets from my shorewall config files: interfaces: #ZONE INTERFACE BROADCAST OPTIONS mdm eth0 192.168.7.255 <http://192.168.7.255> net ppp0 - routefilter,norfc1918,blacklist loc eth1 192.168.1.255 <http://192.168.1.255> routeback,newnotsyn dmz eth2 192.168.2.255 <http://192.168.2.255> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Zones: #ZONE DISPLAY COMMENTS mdm Modem ADSL Modem config interface net Net Internet locs LocalServer Internal File Sharing server (inside local zone) loc Local Local networks dmz DMZ Demilitarized zone hosts: #ZONE HOST(S) OPTIONS locs eth1:192.168.1.17 <http://192.168.1.17> routeback mdm ppp0:192.168.7.1 <http://192.168.7.1> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL locs loc ACCEPT loc locs ACCEPT locs all CONTINUE all locs CONTINUE loc net ACCEPT all mdm DROP ULOG mdm all DROP ULOG net all DROP ULOG all all REJECT ULOG #LAST LINE -- DO NOT REMOVE rules: DNAT net locs:192.168.1.17 <http://192.168.1.17> tcp bitcomet DNAT net locs: 192.168.1.17 <http://192.168.1.17> udp bitcomet So, there you have it. The only changes I've made recently (other than endless fiddling trying to fix this problem before coming here), was to add the mdm zone in an attempt to be able to reach the config interface on my ADSL modem from the local network (its not working either. Any insights on that would be appreciated as well.) Any help at all in resolving this will be much appreciated. ||| ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/