> On 3/27/2014 8:12 AM, Hervé Werner wrote: > > Hello Tom. > > > > Please find enclosed the requested file as well as my full > > configuration. > > > > > > Also I noticed that the reap option provided in the recent match is not > > detected by Shorewall whereas it seems to be available : > > $ sudo iptables -N test > > $ sudo iptables -A test -m recent --rcheck --seconds 10 --reap > > $ sudo iptables -L test > > Chain test (0 references) > > target prot opt source destination > > all -- anywhere anywhere > > recent: CHECK seconds: 10 reap name: DEFAULT side: source mask: > > 255.255.255.255 > > > > Not sure I actually need it but this looks strange to me. > > > >> Hello. > >> > >> As soon as I add the rpfilter option to my single interface, any > >> outgoing traffic is blocked. > >> > >> Here is my interface file : > >> net eth0 > >> dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,rpfilter > >> > >> When taking a look at the logs, I notice packets have been blocked by > >> the net-fw rule : > >> > >> Mar 26 15:46:44 MyPC net-fw:DROP IN=eth0 OUT= MAC=XXXXX > >> SRC=173.194.40.159 DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 > >> ID=35571 PROTO=ICMP TYPE=0 CODE=0 ID=30205 SEQ=16 MARK=0 > >> > >> This message has been triggered by pinging google.fr. > >> > >> Note that it works properly when using rp_filter. > >> > >> Please find attached my configuration files. > >> > >> Version information : 4.5.21.7 > > I certainly wish that you wouldn't top-post. > > This dump shows no log messages of the type displayed above being > generated. The only messages that had been logged since the > configuration was restarted were out of the chain _fw-net. Given that > your setting of LOGFILE doesn't match where messages are actually being > logged, the dump does not show the messages.
I'm sorry. Please find enclosed a full dump. > > Regarding 'reap' : > > root@gateway:~# shorewall show -f capabilities | fgrep REAP > REAP_OPTION=Yes > root@gateway:~# shorewall -vvv check | fgrep -i reap > Recent Match "--reap" option: Available > REAP_OPTION* > root@gateway:~# shorewall version > 4.5.21.7 > root@gateway:~# > > I see that you are running a bleeding edge kernel -- which iptables > version are you running? Hum it is strange : $ sudo shorewall show -f capabilities | fgrep REAP REAP_OPTION=Yes $ sudo shorewall -vvv check | fgrep -i reap Recent Match "--reap" option: Available $ sudo shorewall dump | fgrep -i reap Recent Match "--reap" option (REAP_OPTION): Not available $ sudo shorewall show capabilities | fgrep REAP Recent Match "--reap" option (REAP_OPTION): Not available Here is my iptables version : iptables v1.4.21 (OS : Debian Jessie).
shorewall_dump.txt.gz
Description: application/gzip
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users