Tom Eastep wrote: > Not true! The loopback interface is used for ANY packet sent from the > host to itself. That's a fair comment. However, in my case one address is "local", the other one is remove - that will never reach its destination and should have never been routed through the loopback, or am I missing something?
Here is one example of what I get (all "o.*" properties are for the original connection for which the icmp message was issued; "<eth0>" is my external-facing IP on eth0, "<remote_IP_eth1_subnet>" is remote internal IP which has the same subnet as eth1, "<external_IP>" is a remote host): timestamp=2013/10/09-00:04:57,raw.pktlen=576,raw.pktcount=1,oob.prefix=Shorewall:fw2local:DROP:,oob.time.sec=1381273497,oob.time.usec=72127,oob.mark=0,oob.ifindex_out=1,oob.hook=3,oob.family=2,oob.protocol=0,raw.label=0,ip.saddr=<eth0>,ip.daddr=<remote_IP_eth1_subnet>,ip.protocol=1,ip.tos=192,ip.ttl=64,ip.totlen=576,ip.ihl=5,ip.csum=31876,ip.id=53893,ip.fragoff=0,icmp.type=3,icmp.code=1,icmp.csum=30221,oob.protocol=0,o.ip.saddr=<remote_IP_eth1_subnet>,o.ip.daddr=<external_IP>,o.ip.protocol=6,o.ip.tos=0,o.ip.ttl=63,o.ip.totlen=638,o.ip.ihl=5,o.ip.csum=15844,o.ip.id=42550,o.ip.fragoff=16384,o.tcp.sport=38327,o.tcp.dport=443,o.tcp.seq=3400886979,o.tcp.ackseq=4068520201,o.tcp.window=166,o.tcp.offset=0,o.tcp.reserved=0,o.tcp.urg=0,o.tcp.ack=1,o.tcp.psh=1,o.tcp.rst=0,o.tcp.syn=0,o.tcp.fin=0,o.tcp.res1=0,o.tcp.res2=0,o.tcp.csum=26701,oob.in=,oob.out=lo,ip.saddr.str=<eth0>,ip.daddr.str=<remote_IP_eth1_subnet>,oob.protocol=0 You will notice that the output interface is the loopback and the zone is fw2local, even though the destination address has nothing whatsoever to do with the "local" zone or 127.0.0.0/8. ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
