On 5 Jul 2004 at 8:29, Ronny Aasen wrote: > On Sat, 2004-07-03 at 05:15, Stirling Westrup wrote: > > I understand most of the log messages I see from Shorewall, but I keep > > getting a bunch of this form: > > > > Dec 31 19:00:00 creaky Shorewall:all2all:REJECT: IN= OUT=eth1 MAC= > > SRC=192.168.1.254 DST=192.168.1.17 LEN=241 TOS=00 PREC=0x00 TTL=64 ID=10067 > > PROTO=ICMP TYPE=5 CODE=1 GATEWAY=192.168.1.17 > >
> this is an ICMP redirect send from your firewall to .17 beeing blocked > in your firewall rules. > > google for icmp type 5 code 1 > > icmp redirect is a method of remotely updating host's routing table to > avoid sending redundant data on the segment, this is good or bad > depending on your point of view :) > > http://www.qorbit.net/documents/icmp-redirects-are-bad.htm > > code=1 means it's a host error redirect. that means that the error is > for a spesific host. > > gateway is what gateway is the best route for the spesific host/net > (host in this case) > > basicaly your firewall tells .17 that the data it's trying to send > should be sent to .17 instead. > Now why .17 sends it to default gw in the first place i don't know, > maybe .17 have 2 interfaces and lacks a route or maybe .17 don't have a > loopback ? (insert other wild guess here) > This helps a bit. I think this is due to a situation I'm not sure how to handle in shorewall: Machine .17 is behind my firewall at .254, and provides an internet service, so that service is NATed to .17 Machine .17 is also a tunnel endpoint for some other machines that are not inside my network. If one of those machines tries to contact my service via the public interface, I suspect that what happens is: 1) A connection request comes in on machine .17 for A.B.C.D (external network address) 2) The request is routed to my firewall at .254 3) Firewall realizes that A.B.C.D is my external IP address and performs a NAT for that port, and gets machine .17 4) Firewall refuses to connect back to my machine and drops the packet. Now machine .17 is a windows box and the tunnel application its running is proprietary, so there's not a lot of configuring I can do there. This means I'm stuck with this perverse situation. How should I configure my firewall to cope? -- Stirling Westrup | Use of the Internet by this poster [EMAIL PROTECTED] | is not to be construed as a tacit | endorsement of Western Technological | Civilization or its appurtenances. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
