On 10/29/2013 4:15 PM, Dash Four wrote: > A bit of background: on one of my firewall machines, there are 7 > different interfaces - 2 outward-facing, connected to the outside world > (eth0 and tun0) and 5 inward-facing interfaces, connected to various > internal networks (eth1-4). I also have a local zone on lo, which is > also managed by shorewall, with various rules in existence. It is worth > mentioning that I also have strict control of all related connections, > with the appropriate logging set on all zones/interfaces. > > Now, when say, eth3 and eth4 have established connections to various IP > addresses to the outside world via eth0 (with the appropriate > masquerading set) and the link on eth0 drops, I get a flurry of about > 30-40 entries in my logs consisting of icmp type 3, code 1 messages with > source address set as the eth0 IP address and destination address set as > the originating IP address, belonging to subnets of which my eth3 and > eth4 interfaces are part of. So far so good and is more or less what I > expect to see in such instances. > > What is rather bizarre and a complete mystery to me, however, is that > all of this goes through lo! Yes, that's right - I am seeing these logs > appear on my +fw2local zone, which is responsible for packets from/to > the local zone, consisting of a single interface - the loopback, not the > zones which are responsible for handling packets from/to eth3 or eth4. > > In other words, I expected to see these packets appear in one of > +fw2eth3, +fw2eth4, +eth02eth3 or +eth02eth4 zones, not on my +fw2local > zone. The actual logs confirm that the out interface is indeed the > loopback (lo), even though none of the addresses involved > (source/destination IP addresses of either related or the actual > connection) are on the loopback interface. Just to make sure, I checked > my OUTPUT chain and there is indeed a rule in it, which directs all > packets going out of lo to my fw2local zone and all RELATED connections > then go to +fw2local. > > None of these packets reach their destination, which is hardly > surprising since the out interface is the loopback. So, the big question > is - have I done something wrong, is this a shorewall bug or is there > something fundamentally wrong with the netfilter setup?
The OUT interface is determined when the packet is routed. Is there a
rogue route in the 'local' table or route cache when you see this problem?
ip route ls table local
ip route ls cache
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
