Re: [Shorewall-users] ICMP replies are inconsistent

Tom Eastep Tue, 06 Nov 2018 07:56:11 -0800

On 11/5/18 6:08 AM, Vieri Di Paola wrote:
> Hi,
> 
> I'm attachng a shorewall dump while trying to ping a shorewall
> firewall interface at 192.168.212.1 from a host within the "dmz" zone
> with IP address 192.168.212.93.
> 
> I get inconsistent ICMP replies.
> A tcpdump on the shorewall firewall itself shows this:
> 
> # tcpdump -n -i enp5s0 host 192.168.212.93 and icmp
> dropped privs to tcpdump
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on enp5s0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 14:59:20.513984 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 746, length 40
> 14:59:20.514156 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 746, length 40
> 14:59:21.517489 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 747, length 40
> 14:59:21.517653 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 747, length 40
> 14:59:22.521495 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 748, length 40
> 14:59:22.521681 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 748, length 40
> 14:59:23.525488 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 749, length 40
> 14:59:23.525616 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 749, length 40
> 14:59:24.529495 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 750, length 40
> 14:59:24.529665 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 750, length 40
> 14:59:25.533542 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 751, length 40
> 14:59:25.533698 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 751, length 40
> 14:59:26.537567 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 752, length 40
> 14:59:26.537724 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 752, length 40
> 14:59:27.541601 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 753, length 40
> 14:59:27.541797 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 753, length 40
> 14:59:28.545663 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 754, length 40
> 14:59:28.545819 IP 192.168.212.1 > 192.168.212.93: ICMP echo reply, id
> 1, seq 754, length 40
> 14:59:29.549700 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 755, length 40
> 14:59:38.626915 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 756, length 40
> 14:59:43.512067 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 757, length 40
> 14:59:48.512169 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 758, length 40
> 14:59:53.512369 IP 192.168.212.93 > 192.168.212.1: ICMP echo request,
> id 1, seq 759, length 40
> 
> Why is my shorewall system not always replying?
> 
> Here's the shorewall dump:
> 
> https://drive.google.com/open?id=1oLsOAUdehsxKcvKZ2Z-vCzJS9lVv_5RQ
>


I don't see anything in the dump. You might trying using the iptrace
command to trace what is happening to the echo-request packets; if that
doesn't show anything, then try looking at the echo-replies.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ICMP replies are inconsistent

Reply via email to