On 3/27/2014 10:36 AM, Hervé Werner wrote: > >> On 3/27/2014 8:12 AM, Hervé Werner wrote: >> > Hello Tom. >> > >> > Please find enclosed the requested file as well as my full >> > configuration. >> > >> > >> > Also I noticed that the reap option provided in the recent match is not >> > detected by Shorewall whereas it seems to be available : >> > $ sudo iptables -N test >> > $ sudo iptables -A test -m recent --rcheck --seconds 10 --reap >> > $ sudo iptables -L test >> > Chain test (0 references) >> > target prot opt source destination >> > all -- anywhere anywhere >> > recent: CHECK seconds: 10 reap name: DEFAULT side: source mask: >> > 255.255.255.255 >> > >> > Not sure I actually need it but this looks strange to me. >> > >> >> Hello. >> >> >> >> As soon as I add the rpfilter option to my single interface, any >> >> outgoing traffic is blocked. >> >> >> >> Here is my interface file : >> >> net eth0 >> >> dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,rpfilter >> >> >> >> When taking a look at the logs, I notice packets have been blocked by >> >> the net-fw rule : >> >> >> >> Mar 26 15:46:44 MyPC net-fw:DROP IN=eth0 OUT= MAC=XXXXX >> >> SRC=173.194.40.159 DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 >> >> ID=35571 PROTO=ICMP TYPE=0 CODE=0 ID=30205 SEQ=16 MARK=0 >> >> >> >> This message has been triggered by pinging google.fr. >> >> >> >> Note that it works properly when using rp_filter. >> >> >> >> Please find attached my configuration files. >> >> >> >> Version information : 4.5.21.7 >> >> I certainly wish that you wouldn't top-post. >> >> This dump shows no log messages of the type displayed above being >> generated. The only messages that had been logged since the >> configuration was restarted were out of the chain _fw-net. Given that >> your setting of LOGFILE doesn't match where messages are actually being >> logged, the dump does not show the messages. > > I'm sorry. Please find enclosed a full dump.
Herve, Unfortunately, the messages were logged before the firewall was reloaded: State:Started (jeudi 27 mars 2014, 18:23:57 (UTC+0100)) from /etc/shorewall/ Mar 27 18:23:13 net-fw:DROP IN=eth0 OUT= SRC=173.194.40.151 DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 ID=765 PROTO=ICMP TYPE=0 CODE=0 ID=8127 SEQ=15 MARK=0 Mar 27 18:23:14 net-fw:DROP IN=eth0 OUT= SRC=173.194.40.151 DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 ID=766 PROTO=ICMP TYPE=0 CODE=0 ID=8127 SEQ=16 MARK=0 NAT Table So the firewall was reloaded at 18:23:57 but the last message was logged at 18:23:14. As a consequence, the dump doesn't show the state of the firewall when the messages were being logged. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
