Hi
we have a big problem with hosts based zoning. in the past we have use
"interfaces" for route traffic in zones. now we have some interfaces that
have more than 1 zone and we have use "hosts".
Since we use "hosts" instead "interfaces" for map zones, the conntrack
doesn't work correct and all packets will be logged instead only the first
one (NEW).
here some system infos and partials out of config:
shorewall version
first 4.5.21.9 and now 4.6.5.2
kernel version
Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64
x86_64 x86_64 GNU/Linux
distri version
Centos 6
/etc/shorewall/policy
all all ACCEPT debug
/etc/shorewall/interfaces
- bnteth
- bond0.2
gst bond0.4
/etc/shorewall/hosts
bebnt bnteth:10.254.1.0/24
pub bnteth:0.0.0.0/0 # pub is in zones at last position!
mgt bond0.2:10.200.254.0/24
Chain FORWARD (policy DROP)
bnteth_fwd all -- 0.0.0.0/0 0.0.0.0/0
Chain bnteth_fwd (1 references)
bebnt_frwd all -- 10.254.1.0/24 0.0.0.0/0
Chain bebnt_frwd (6 references)
bebnt2mgt all -- 0.0.0.0/0 10.200.254.0/24
Chain bebnt2mgt (7 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED /* i think this line will be ignored because the state
ist not established */
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7
prefix `FW:bebnt2mgt:ACCEPT:'
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Log during start one ssh connection
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2
SRC=10.254.1.212 DST=10.200.254.252 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=56140 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2
SRC=10.254.1.212 DST=10.200.254.252 LEN=52 TOS=0x00 PREC=0x00 TTL=63
ID=56141 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2
SRC=10.254.1.212 DST=10.200.254.252 LEN=52 TOS=0x00 PREC=0x00 TTL=63
ID=56142 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2
SRC=10.254.1.212 DST=10.200.254.252 LEN=93 TOS=0x00 PREC=0x00 TTL=63
ID=56143 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
Dec 11 11:18:01 be-fw01 kernel: FW:bebnt2mgt:ACCEPT:IN=bnteth OUT=bond0.2
SRC=10.254.1.212 DST=10.200.254.252 LEN=1324 TOS=0x00 PREC=0x00 TTL=63
ID=56144 DF PROTO=TCP SPT=47114 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
...
Conntrack
tcp 6 4 SYN_SENT src=10.254.1.212 dst=10.200.254.252 sport=47114
dport=22 [UNREPLIED] src=10.200.254.252 dst=10.254.1.212 sport=22
dport=47114 mark=1 secmark=0 use=2
after some seconds
tcp 6 298 ESTABLISHED src=10.254.1.212 dst=10.200.254.252 sport=47114
dport=22 [UNREPLIED] src=10.200.254.252 dst=10.254.1.212 sport=22
dport=47114 mark=1 secmark=0 use=2
I don't understand why the connection is [UNREPLIED].
I hope anybody have an idea.
greets
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
