Matt Harrison wrote: > Shorewall Geek wrote: >> Matt Harrison wrote: >>> Shorewall Geek wrote: >>>> When marking rules don't work as expected, it is usually the result of >>>> failing to take into account which direction the packets are flowing >>>> relative to which way the connections were originally made. Your rules >>>> above will only mark outgoing packets from connections that originate >>>> behind the firewall. Outgoing packets from connections that originate on >>>> the net and connect to SSH servers behind the firewall will have SOURCE >>>> PORT == 22 rather than DEST PORT == 22. >>> Thanks for the replies, >>> >>> That makes sense. I was only trying for connections originating inside >>> the network, but when that's working I will look at the other way. >>> >>>> If that is not the problem in your case, please submit the output of >>>> 'shorewall dump' collected as described at >>>> http://www.shorewall.net/support.htm#Guidelines. >>> Please see attached status.txt.bz2 >> Chain tcpost (1 references) >> pkts bytes target prot opt in out source >> destination >> 607 160K CLASSIFY tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:80 CLASSIFY set 1:12 >> 12 1488 CLASSIFY all -- * eth1 0.0.0.0/0 >> 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11 >> 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 >> 0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12 >> 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 >> 0.0.0.0/0 MARK match 0xa/0xff CLASSIFY set 1:110 >> >> Chain tcpre (1 references) >> pkts bytes target prot opt in out source >> destination >> 261 15876 MARK tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:22 MARK set 0x1 >> >> You are setting the mark to 1 for outgoing SSH to 1. 261 packets >> destined for TCP port 22 entered PREROUTING. Note, however that only 12 >> of them exited through eth1; those were correctly classified to class 1:11. >> >> >From further down in the dump, we see: >> >> class htb 1:11 parent 1:1 leaf 11: prio 1 quantum 1500 rate 40000bit >> ceil 512000bit burst 1504b/8 mpu 0b overhead 0b cburst 1563b/8 mpu 0b >> overhead 0b level 0 >> Sent 1656 bytes 12 pkt (dropped 0, overlimits 0 requeues 0) >> rate 0bit 0pps backlog 0b 0p requeues 0 >> lended: 12 borrowed: 0 giants: 0 >> tokens: 284570 ctokens: 23132 >> >> So exactly 12 packets were sent through class 1:11. >> >> PS -- you are running a very old and unsupported version of Shorewall. > > Well this version is the current stable version in gentoo portage, > however it does seem quite old.
The Gentoo community needs to light a fire under their Shorewall maintainer. The Debian community had do do that a while back; the result was that the current maintainer admitted that he no longer had time to be a maintainer and a new one stepped forward. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
