On Fri, 2007-02-09 at 23:56 +0000, Andrew Suffield wrote: > > The message is somewhat obtusely phrased.
Indeed.
> The kernel has received a
> packet from 64.86.88.116 to 66.11.173.224 on eth1, and it doesn't like
> the source address for whatever reason,
Or the destination address, considering that it's the destination
address for a different interface?
> so it dropped the packet. Most
> likely, 64.86.88.116 is not routable via eth1, which implies either
> your routing tables are wrong
# ip route ls
...
default
nexthop via 72.38.184.1 dev eth1 weight 1
nexthop via 192.168.200.1 dev ppp0 weight 1
That should make it routable, yes?
> or you need to disable return-path
> filtering on this interface (I still haven't been paying enough
> attention to know which, but you must disable rpfilter if your routing
> is assymetric).
Well, it should not be. I do have two interfaces but they are in
completely different subnets with different providers. IOW, completely
independent of each other.
That's what makes it odd that a packet could arrive on my eth1 with a
destination address of 66.11.173.224. The Internet would not route that
destination address to my eth1 via my eth1 provider but rather to my
ppp0 via my ppp0 provider.
But that packet should not even have that destination address as it is
replying to a packet I sent via my eth1 interface and had a source
address of my eth1 interface.
In fact a tcpdump shows that at the demarcation of my eth1 interface,
addressing is indeed correct:
19:21:31.572939 IP 72.38.184.236.4697 > 64.86.88.116.3653: S
2034318562:2034318562(0) win 5648 <mss 1412,sackOK,timestamp 61683401
0,nop,wscale 2>
19:21:31.611442 IP 64.86.88.116.3653 > 72.38.184.236.4697: S
1578824716:1578824716(0) ack 2034318563 win 32768 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 61683401>
So somehow, I guess, in my gateway it's having it's destination address
rewritten? That seems strange/unlikely.
> It's probably transient because the sending system notes that packets
> aren't getting through and tries a different route.
Well, the sending system has no idea that my machine has these two
different addresses, so I can't see how it would.
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
