Hi,
My firewall is a machine running Debian Squeeze with shorewall 4.4.11.6.
/etc/shorewall/policy says this:
loc $FW ACCEPT
loc loc ACCEPT
loc net ACCEPT
$FW net ACCEPT
$FW loc ACCEPT
net all DROP # info
all all REJECT # warn
I have an ipod touch on 192.168.10.20. It has Skype for the iphone/ipod
on it. when skype is connected a get a lot of messages in the log like
this:
[2824567.893299] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
ID=44929 DF PROTO=TCP SPT=51608 DPT=443 WINDOW=65535 RES=0x00 SYN FIN
URGP=0
[2824568.296145] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
ID=23783 DF PROTO=TCP SPT=51606 DPT=58824 WINDOW=65535 RES=0x00 SYN FIN
URGP=0
[2824568.498059] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
ID=37853 DF PROTO=TCP SPT=51609 DPT=80 WINDOW=65535 RES=0x00 SYN FIN URGP=0
I find this a bit weird due to the policy saying connections from "loc"
to "net" should be accepted, so I'm guessing it has to do with the "SYN
FIN" flags on the packets? How would I allow these packets through?
I've tried googling this and I'm not having any luck. I also tried some
stuff with my rules file but it doesn't seem to change anything.
Thanks,
Dale
Additional info as requested:
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:25:22:20:ed:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 brd 192.168.10.255 scope global eth0
inet6 fe80::225:22ff:fe20:ede0/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:50:43:00:9c:51 brd ff:ff:ff:ff:ff:ff
inet 64.30.73.192/20 brd 64.30.79.255 scope global eth1
inet6 fe80::250:43ff:fe00:9c51/64 scope link
valid_lft forever preferred_lft forever
# ip route show
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.1
64.30.64.0/20 dev eth1 proto kernel scope link src 64.30.73.192 metric
1
default via 64.30.64.1 dev eth1 proto static
--
Dale E. Martin - [email protected]
http://the-martins.org/~dmartin
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
