Thanks Tom, > a) Be sure that you have set the 'dhcp' option for your external interface > in /etc/shorewall/interfaces. > b) Because your ISP is using RFC 1918 addresses within its infrastructure, > you need to review Shorewall FAQ #14a > (http://www.shorewall.net/FAQ.htm#faq14a).
Yes, etc/shorewall/interfaces has dhcp on for the external interface. I was getting these in my log when I performed a trace route Feb 27 19:17:42 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=10.75.48.1 DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0xC0 TTL=254 ID=3903 PROTO=ICMP TYPE=11 CODE=0 [SRC=81.102.124.19 DST=212.58.224.114 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=63517 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=41728 ] And these stopped when I added the UBRs IP to /etc/shorewall/rfc1918 I'll find out soon whether this makes any difference to DHCP renewal, but apparently not blocking the UBR is very important. A few questions about that log entry if I may? According to the weblet, sorting the denied packets by IP address lists all these packets as caused by '81.102.124.19', which is my external IP on eth0. Can somebody explain why? "SRC=10.75.48.1 DST=192.168.1.1" DST is the local IP for my WinXP box, how come SRC is trying to send it packets? I don't know whether the UBR has a static IP, but I do know the ranges it will always be in (10.xxx.xxx.1 or 172.xx.xxx.254). If it turns out to be dynamic, is it possible to put those ranges instead of a static IP in to /etc/shorewall/rfc1918? Thanks, Jim. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
