On 3/27/2014 8:12 AM, Hervé Werner wrote: > Hello Tom. > > Please find enclosed the requested file as well as my full > configuration. > > > Also I noticed that the reap option provided in the recent match is not > detected by Shorewall whereas it seems to be available : > $ sudo iptables -N test > $ sudo iptables -A test -m recent --rcheck --seconds 10 --reap > $ sudo iptables -L test > Chain test (0 references) > target prot opt source destination > all -- anywhere anywhere > recent: CHECK seconds: 10 reap name: DEFAULT side: source mask: > 255.255.255.255 > > Not sure I actually need it but this looks strange to me. > >> Hello. >> >> As soon as I add the rpfilter option to my single interface, any >> outgoing traffic is blocked. >> >> Here is my interface file : >> net eth0 >> dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,rpfilter >> >> When taking a look at the logs, I notice packets have been blocked by >> the net-fw rule : >> >> Mar 26 15:46:44 MyPC net-fw:DROP IN=eth0 OUT= MAC=XXXXX >> SRC=173.194.40.159 DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 >> ID=35571 PROTO=ICMP TYPE=0 CODE=0 ID=30205 SEQ=16 MARK=0 >> >> This message has been triggered by pinging google.fr. >> >> Note that it works properly when using rp_filter. >> >> Please find attached my configuration files. >> >> Version information : 4.5.21.7
I certainly wish that you wouldn't top-post. This dump shows no log messages of the type displayed above being generated. The only messages that had been logged since the configuration was restarted were out of the chain _fw-net. Given that your setting of LOGFILE doesn't match where messages are actually being logged, the dump does not show the messages. Regarding 'reap' : root@gateway:~# shorewall show -f capabilities | fgrep REAP REAP_OPTION=Yes root@gateway:~# shorewall -vvv check | fgrep -i reap Recent Match "--reap" option: Available REAP_OPTION* root@gateway:~# shorewall version 4.5.21.7 root@gateway:~# I see that you are running a bleeding edge kernel -- which iptables version are you running? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
