I had to subscribe to leaf-user for this one, which maybe I don't understand because shorewall doesn't log every piece of information? I don't know, but here's the log entry and the details:
Sep 16 09:12:31 hub kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=82.82.76.144 DST=10.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=29083 DF PROTO=TCP SPT=4535 DPT=6885 WINDOW=30370 RES=0x00 SYN URGP=0
Details: ========== * I'm running BitTorrent, a p2p downloading application
* ports 6881-6889 are opened to new inbound connections
and forwarded to 10.2.3.4.* My ip is 63.194.213.179
* Proper BT traffic would be DST=63.194.213.179 6881:6889 SYN
and of course responses to that from me.
I can't for the life of me figure out how this traffic gets here. I mean it's a SYN for pete's sake. Unless is was specifically routed purely with MAC addresses, it makes no sense.
Questions:
===========
1) How on earth is traffic destined for 10.2.3.4 getting all
the way from 82.82.76.144 to me, i.e. How is it passing
through so many internet routers to me? There should be
no route. My ISP has no idea that I use 10.2.3.4 in a NAT
setup.2) Does shorewall not tell me if there is MAC addressing involved?
3) And if it was routed using MAC addresses only (which is the way
the net works, correct?) then why doesn't Shorewall give me the
MAC skinny? 4) And who has 10.2.3.4 in their ARP cache besides Bering. You can't
tell me that 10.2.3.4 is ARP all the way through the internet to me?Thx
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
