Re: [Shorewall-users] tcrules' HELPERs are not helping

Sun, 06 Jun 2010 03:02:58 -0700 

On Sat, 05 Jun 2010 06:22:38 -0700
Tom Eastep <[email protected]> wrote:

> Please forward the output of 'shorewall dump' collected after testing
> the helper rule.

Hello

I've re-established the problem on another set of boxes and attempted
to make it as simple as possible.  The setup is pretty standard:

+-------------------------------------------------+
|          mr-clever                  mr-muddle   |
| +-------------------------+          +-----+    |
| |ftp                      |          |ftpd |    |
| |# uname -rm              |          |     |    |
| |2.6.29-gentoo-r5 i686    |          |     |    |
| |# shorewall debug version|          |     |    |
| |4.4.9                    |          |     |    |
| +-------------------------\          /-----+    |
|                            |        |           |
|                            \        /           |
|                             \------/            |
|                             |switch|            |
|                            .'------.__          |
|                          .'           ``--.     |
|                        .'                       |
+-------------------------------------------------+

With the following in my tcrules I can ftp to mr-muddle:
####################################################################
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER
    TEST    LENGTH  TOS   CONNBYTES         HELPER
#                                               PORT(S) PORT(S)
2       $FW             0.0.0.0/0       tcp     21

With the following in my tcrules I cannot:
####################################################################
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER
    TEST    LENGTH  TOS   CONNBYTES         HELPER
#                                               PORT(S) PORT(S) 
2       $FW             0.0.0.0/0       tcp     -       -    -
    -       -       -     -                 ftp

That is, the HELPER ftp is not marking packets.  

The following is what a marked packet looks like:
Jun  6 16:32:14 mr-clever TRACE: mangle:POSTROUTING:policy:2 IN=
OUT=eth0 SRC=192.168.3.21 DST=192.168.3.23 LEN=52 TOS=0x00 PREC=0x00
TTL=64 ID=37036 DF PROTO=TCP SPT=49155 DPT=21 SEQ=3789899975
ACK=3607433152 WINDOW=1460 RES=0x00 ACK FIN URGP=0 OPT
(0101080AFFFFEB66005D6EEB) UID=0 GID=0 MARK=0x2

Thanks Tom, mr-clever 'shorewall dump' in the attachment.

Regards

Fog_Watch.

Attachment: mr-clever-files.tar
Description: Unix tar archive

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to