Re: [Shorewall-users] Cannot ping between hosts in the same zone but with different netmasks

Tom Eastep Thu, 09 Jul 2020 18:21:11 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 7/9/20 4:00 PM, Vieri Di Paola wrote:
> On Thu, Jul 9, 2020 at 8:39 PM Tom Eastep <teas...@shorewall.net>
> wrote:
>>
>> Do you see each packet twice (once inbound and once outbound)?
>
> When the ICMP request/reply succeeds (it's the case of most hosts)
> then yes, the requests and replies are duplicated as in this dump:
>
> # tcpdump -n -i lan.1  host 10.215.246.24 and host 10.215.144.48
> and icmp dropped privs to tcpdump tcpdump: verbose output
> suppressed, use -v or -vv for full protocol decode listening on
> lan.1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 00:52:22.403575 IP 10.215.246.24 > 10.215.144.48: ICMP echo
> request, id 512, seq 57089, length 40 00:52:22.403608 IP
> 10.215.246.24 > 10.215.144.48: ICMP echo request, id 512, seq
> 57089, length 40 00:52:22.403847 IP 10.215.144.48 > 10.215.246.24:
> ICMP echo reply, id 512, seq 57089, length 40 00:52:22.403880 IP
> 10.215.144.48 > 10.215.246.24: ICMP echo reply, id 512, seq 57089,
> length 40 00:52:23.397689 IP 10.215.246.24 > 10.215.144.48: ICMP
> echo request, id 512, seq 57345, length 40 00:52:23.397723 IP
> 10.215.246.24 > 10.215.144.48: ICMP echo request, id 512, seq
> 57345, length 40 00:52:23.398006 IP 10.215.144.48 > 10.215.246.24:
> ICMP echo reply, id 512, seq 57345, length 40 00:52:23.398043 IP
> 10.215.144.48 > 10.215.246.24: ICMP echo reply, id 512, seq 57345,
> length 40 00:52:24.397645 IP 10.215.246.24 > 10.215.144.48: ICMP
> echo request, id 512, seq 57601, length 40 00:52:24.397676 IP
> 10.215.246.24 > 10.215.144.48: ICMP echo request, id 512, seq
> 57601, length 40 00:52:24.397963 IP 10.215.144.48 > 10.215.246.24:
> ICMP echo reply, id 512, seq 57601, length 40 00:52:24.397999 IP
> 10.215.144.48 > 10.215.246.24: ICMP echo reply, id 512, seq 57601,
> length 40 00:52:25.397765 IP 10.215.246.24 > 10.215.144.48: ICMP
> echo request, id 512, seq 57857, length 40 00:52:25.397784 IP
> 10.215.246.24 > 10.215.144.48: ICMP echo request, id 512, seq
> 57857, length 40 00:52:25.398095 IP 10.215.144.48 > 10.215.246.24:
> ICMP echo reply, id 512, seq 57857, length 40 00:52:25.398122 IP
> 10.215.144.48 > 10.215.246.24: ICMP echo reply, id 512, seq 57857,
> length 40 00:52:26.397606 IP 10.215.246.24 > 10.215.144.48: ICMP
> echo request, id 512, seq 58113, length 40 00:52:26.397631 IP
> 10.215.246.24 > 10.215.144.48: ICMP echo request, id 512, seq
> 58113, length 40 00:52:26.397914 IP 10.215.144.48 > 10.215.246.24:
> ICMP echo reply, id 512, seq 58113, length 40 00:52:26.397950 IP
> 10.215.144.48 > 10.215.246.24: ICMP echo reply, id 512, seq 58113,
> length 40 00:52:27.397666 IP 10.215.246.24 > 10.215.144.48: ICMP
> echo request, id 512, seq 58369, length 40 00:52:27.397696 IP
> 10.215.246.24 > 10.215.144.48: ICMP echo request, id 512, seq
> 58369, length 40 00:52:27.397957 IP 10.215.144.48 > 10.215.246.24:
> ICMP echo reply, id 512, seq 58369, length 40 00:52:27.397992 IP
> 10.215.144.48 > 10.215.246.24: ICMP echo reply, id 512, seq 58369,
> length 40 00:52:28.397652 IP 10.215.246.24 > 10.215.144.48: ICMP
> echo request, id 512, seq 58625, length 40 00:52:28.397687 IP
> 10.215.246.24 > 10.215.144.48: ICMP echo request, id 512, seq
> 58625, length 40 00:52:28.397985 IP 10.215.144.48 > 10.215.246.24:
> ICMP echo reply, id 512, seq 58625, length 40 00:52:28.398019 IP
> 10.215.144.48 > 10.215.246.24: ICMP echo reply, id 512, seq 58625,
> length 40
>
> For the "failing ping", I now see this dump (in my previous post,
> I wasn't seeing any replies at all, only requests and not even
> duplicated -- beats me):
>
> # tcpdump -n -i lan.1 host 10.215.246.24 and host 10.215.144.251
> and icmp dropped privs to tcpdump tcpdump: verbose output
> suppressed, use -v or -vv for full protocol decode listening on
> lan.1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 00:55:18.397038 IP 10.215.246.24 > 10.215.144.251: ICMP echo
> request, id 512, seq 60161, length 40 00:55:18.397079 IP
> 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq
> 60161, length 40 00:55:18.397202 IP 10.215.144.251 > 10.215.246.24:
> ICMP echo reply, id 512, seq 60161, length 40 00:55:23.896969 IP
> 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq
> 60417, length 40 00:55:23.897007 IP 10.215.246.24 > 10.215.144.251:
> ICMP echo request, id 512, seq 60417, length 40 00:55:23.897177 IP
> 10.215.144.251 > 10.215.246.24: ICMP echo reply, id 512, seq 60417,
> length 40 00:55:29.397134 IP 10.215.246.24 > 10.215.144.251: ICMP
> echo request, id 512, seq 60673, length 40 00:55:29.397170 IP
> 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq
> 60673, length 40 00:55:29.397337 IP 10.215.144.251 > 10.215.246.24:
> ICMP echo reply, id 512, seq 60673, length 40 00:55:34.896823 IP
> 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq
> 60929, length 40 00:55:34.896859 IP 10.215.246.24 > 10.215.144.251:
> ICMP echo request, id 512, seq 60929, length 40 00:55:34.897084 IP
> 10.215.144.251 > 10.215.246.24: ICMP echo reply, id 512, seq 60929,
> length 40 00:55:40.396974 IP 10.215.246.24 > 10.215.144.251: ICMP
> echo request, id 512, seq 61185, length 40 00:55:40.397012 IP
> 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq
> 61185, length 40 00:55:40.397148 IP 10.215.144.251 > 10.215.246.24:
> ICMP echo reply, id 512, seq 61185, length 40
>
> The host with IP addr. 10.215.246.24 is reporting that ping is
> failing.
>


Clearly the firewall is dropping the replies, but I can see no reason
why it should. You could try using 'shorewall iptrace' to try to
understand where.

- -Tom
- -- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl8Hwh8ACgkQluaz8kI6
TRDv2A//cVL4d5zVT5S2I0Czd0vYtybaJnoHa/Yh+FOnT/19qGrcBO49uCNeEuO2
M6uQN5ephTi/YyppzqLNlFdiVhvws7PtJZALSqXzmnMB8mwKyzFxaaRhd54Q4iHL
mSn39shI7PlX91gXaJbPkdtaQupfpacE/OFVlYBAPAnZWpoQpuW0ioEt3ydseVDF
JbSvSTBHGfs4HjV1lCbU1QGDZs4V20r5WV7QZDViAItLp/wyo3+qn4a8OCSHcC2+
bCBdO3tHsknUeooqQF7L8vh7LS3niIGgZ4FGL5L+lAqyxiprfjdz6SNj5Q9fA9bk
keuY6gMUJDeaHXl5aGe5S3uYXXEHqr3gujtOHU26tQzkgr7rGA1ldvd7Y1KIG5CE
u50UOD79EzuH4jj3huUieyL4JmqmlEwoptvR8cC2kaXM1//L+7gfUvmeD5rBbf2Q
isHYN5gm6EwyR9xqZQoNNiIhvIuCCj6GBdasbxcgJ66GJyBaHlMxTMJfsT2NREbm
DWPR/yYGEBzrrmiyWV+tpeyzCELH0Lo+PfyBktgw12Xgf1diuk+1drF6ASJU7O7F
SP2Xc7suvZhCGO6Nl+tnkgCG0kpl/nAf3lowVoyyl9Mlj86/HxIJb1RQCV1UwkPS
SeBzSfb4rjGKTWbc7f3OjY0TvoxV5fCsgUNgka/iSeZhDmtDAss=
=rstq
-----END PGP SIGNATURE-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Cannot ping between hosts in the same zone but with different netmasks

Reply via email to