On Tue, 2003-09-16 at 09:36, Matt Schalit wrote: > I had to subscribe to leaf-user for this one, which maybe I don't > understand because shorewall doesn't log every piece of information? > I don't know, but here's the log entry and the details: > > Sep 16 09:12:31 hub kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 > SRC=82.82.76.144 DST=10.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=29083 > DF PROTO=TCP SPT=4535 DPT=6885 WINDOW=30370 RES=0x00 SYN URGP=0 >
Please forward the output from "shorewall show rfc1918". > > Details: > ========== > * I'm running BitTorrent, a p2p downloading application > > * ports 6881-6889 are opened to new inbound connections > and forwarded to 10.2.3.4. > > * My ip is 63.194.213.179 > > * Proper BT traffic would be DST=63.194.213.179 6881:6889 SYN > and of course responses to that from me. > > > I can't for the life of me figure out how this traffic gets here. > I mean it's a SYN for pete's sake. Unless is was specifically > routed purely with MAC addresses, it makes no sense. > > Questions: > =========== > 1) How on earth is traffic destined for 10.2.3.4 getting all > the way from 82.82.76.144 to me, i.e. How is it passing > through so many internet routers to me? There should be > no route. My ISP has no idea that I use 10.2.3.4 in a NAT > setup. DNAT has already been applied by the time that the rfc1918 chain has been traversed. > > 2) Does shorewall not tell me if there is MAC addressing involved? Look at the raw message log to see MAC addressing -- see belog. > > 3) And if it was routed using MAC addresses only (which is the way > the net works, correct?) No. > then why doesn't Shorewall give me the > MAC skinny? If you use "shorewall show log", /sbin/shorewall suppresses the MAC information. > > 4) And who has 10.2.3.4 in their ARP cache besides Bering. You can't > tell me that 10.2.3.4 is ARP all the way through the internet to me? Again, I suspect that the original destination was 63.194.213.179 but I need to see the "shorewall show rfc1918" output in order to understand more of what is going on. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
