This is what you said Tom Eastep > Scott Ruckh wrote: > >> >> Oct 15 00:25:17 shorewall-host Shorewall:inet2all:DROP: IN=eth2 OUT= >> MAC= >> SRC=a.b.c.d DST=239.255.67.250 LEN=172 TOS=00 PREC=0x00 TTL=1 ID=0 DF >> PROTO=UDP SPT=48421 DPT=16680 LEN=152 >> >> This is not the same log from above, but it still applies. The source >> IP >> address is the IP address given to me by my ISP. >> >>> b) Understand the physical topology of the network. >> >> 3-network interface configuration. eth2=inet zone >> >>> c) Understand the definitions of the zones involved (do you really have >>> both >>> 'net' and 'inet' zones?). >> >> Nope this was me providing poor information. A good catch on your part. >> My internet zone is actually inet, but as everyone uses net I was trying >> to comply, but instead made things more confusing. >> >>> d) Understand your routing. >> Farily typical 3-interface configuration. The policy going out for all >> zones is Accept. Policy for inbound traffic is to block all. Inbound >> connections are controlled through rules. >> >> I don't understand why my inet zone is the source address and the >> destination is a non-defined address (presumably an internet address), >> and >> the traffic is going through the firewall and being blocked. Obviously >> I >> do not see much of this type of traffic, and do not understand what is >> going on. > > Your firewall is sending a multi-cast (which it is also receiving) and > it is getting logged (the destination IP is in 224.0.0.0/4). This > usually means that you need to set PKTTYPE=No in shorewall.conf as your > Netfilter 'pkttype' implementation is not matching that packet as > multi-cast. > > -Tom
I am running iptables v1.3.5 with kernel 2.6.13.4. Should I configure iptables or the kernel differently instead of setting the PKTTYPE=No value in shorewall.conf? Do you know why PKTTYPE match extension is not able to match certain broadcast packets? I have made the change in shorewall.conf as suggested, but I will need to educate myself some more in order to understand completely the setting and what is going on. Thanks for the help. Scott ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
