On Sun, 2007-02-11 at 11:04 -0800, Tom Eastep wrote: > Alternatively, I've long suspected that rp_filter doesn't take the packet mark > into consideration.
I would be quite surprised if rp_filter did that.
> What does "ip route get 74.111.215.93 from 72.38.184.236" give you?
# ip route get 74.111.215.93 from 72.38.184.236
74.111.215.93 from 72.38.184.236 via 72.38.184.1 dev eth1
cache mtu 1500 advmss 1460 metric 10 64
> >From your 'shorewall dump':
>
> Chain eth1_masq (1 references)
> pkts bytes target prot opt in out source
> destination
> ...
> 3 456 SNAT all -- * * 66.11.173.224 0.0.0.0/0
> policy match dir out pol none to:72.38.184.236
>
> So the SNAT rule has been exercised at some point.
That is what I was thinking at some point too. But I can't see how as
it's only supposed to happen on packets going out of eth1. To test,
I've added a logging rule right before that SNAT rule:
Chain eth1_masq (1 references)
num pkts bytes target prot opt in out source
destination
...
7 0 0 LOG all -- * * 66.11.173.224
0.0.0.0/0 LOG flags 0 level 6 prefix `SNATting:'
8 4 608 SNAT all -- * * 66.11.173.224
0.0.0.0/0 policy match dir out pol none to:72.38.184.236
and when I trigger the situation though many packets were sent and many
martians logged only a single occurence of:
SNATting:IN= OUT=eth1 SRC=66.11.173.224 DST=74.111.215.93 LEN=152 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1194 DPT=1194 LEN=132
and that one looks pretty legit to me.
I'm really leaning towards this being a logging anomaly/strangeness
rather than actual packet manipulation.
> If any of those connections
> was your freenet6 application,
Naw, this was plain old openvpn. I was trying to ping something on the
other end of an openvpn tunnel.
> it would explain how the ppp0 address got into
> the Martian messages.
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
