Hi,
This is what I found when I ran the tcpdump on the firewall. It looks like the
Suse Linux box is getting request to the external interface by the Sun box. I'm
a bit more confused now than before.....
16:38:59.262393 00:03:ba:1b:95:10 > 00:0c:29:74:9c:0c, ethertype IPv4 (0x0800),
length 69: 10.1.50.10.39371 > 10.1.50.7.53: 20785+ A? yahoo.com. (27)
16:38:59.619216 00:80:64:20:eb:85 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800),
length 296: 10.1.50.198.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:80:
64:20:eb:85, length 254
Here is the ipconfig -all of the firewall, the netstat -rn shows default route
10.1.50.7 and the resolv.conf has 10.1.50.7
----------Firewall ---------------------
eth3 Link encap:Ethernet HWaddr 00:0C:29:74:9C:F8
inet addr:10.1.50.7 Bcast:10.1.50.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:164507 errors:0 dropped:0 overruns:0 frame:0
TX packets:42921 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19329107 (18.4 Mb) TX bytes:14528295 (13.8 Mb)
Interrupt:18 Base address:0x1400
eth4 Link encap:Ethernet HWaddr 00:0C:29:74:9C:02
inet addr:192.168.2.7 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13600 errors:0 dropped:0 overruns:0 frame:0
TX packets:318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1055431 (1.0 Mb) TX bytes:17689 (17.2 Kb)
Interrupt:19 Base address:0x1480
eth5 Link encap:Ethernet HWaddr 00:0C:29:74:9C:0C
inet addr:74.2.235.59 Bcast:74.2.235.63 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:172988 errors:0 dropped:0 overruns:0 frame:0
TX packets:24787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31690672 (30.2 Mb) TX bytes:4432651 (4.2 Mb)
Interrupt:16 Base address:0x1800
Here is the ipconfig -a for the box that I've been testing that has issue doing
a DNS query
----------Client-------------------
ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.2.10 netmask ffffff00 broadcast 192.168.2.255
ether 0:3:ba:1b:95:1e
ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 192.168.3.11 netmask ffffff00 broadcast 192.168.3.255
ether 0:3:ba:1b:95:1f
ce6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
inet 10.1.50.10 netmask ffffff00 broadcast 10.1.50.255
ether 0:3:ba:1b:95:10
________________________________
From: Tom Eastep <[email protected]>
To: Shorewall Users <[email protected]>
Sent: Tuesday, September 1, 2009 1:35:00 PM
Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic
Surge wrote:
> I checked as mentioned it's not on the same hub/switch. Any other ideas
> or suggestions ?
Then you had better check that the hubs/switches that they are connected
to are not themselves connected.
The only possible explanation for packets from 10.1.50.0/24 arriving on
eth5 is that the subnet is connected to eth5 either directly or indirectly.
I suggest that you:
tcpdump -nei eth5 net 10.1.50.0/24
Look at the packets and check the source MAC address. If different hosts
are sending packets with the same MAC source then the host with the
sending MAC is routing the packets to you. If the MAC addresses match
the sending hosts' real MACs, then 10.1.50.0/24 is bridged to eth5 in
some way.
Note that the traffic from 10.1.50.0/24 may be intermittent through
eth5; that is because of what I call 'ARP Roulette' (see
http://www.shorewall.net/FoolsFirewall.html for additional information).
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
