Re: [Shorewall-users] ipod touch, skype, and a shorewall firewall

Sun, 13 Mar 2011 09:50:25 -0700 

On 3/13/11 9:10 AM, Dale E. Martin wrote:

> 
> I have an ipod touch on 192.168.10.20.  It has Skype for the iphone/ipod
> on it.   when skype is connected a get a lot of messages in the log like
> this:
> [2824567.893299] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
> SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
> ID=44929 DF PROTO=TCP SPT=51608 DPT=443 WINDOW=65535 RES=0x00 SYN FIN
> URGP=0
> [2824568.296145] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
> SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
> ID=23783 DF PROTO=TCP SPT=51606 DPT=58824 WINDOW=65535 RES=0x00 SYN FIN
> URGP=0
> [2824568.498059] Shorewall:logflags:DROP:IN=eth0 OUT=eth1
> SRC=192.168.10.20 DST=66.36.158.200 LEN=64 TOS=0x00 PREC=0x00 TTL=63
> ID=37853 DF PROTO=TCP SPT=51609 DPT=80 WINDOW=65535 RES=0x00 SYN FIN URGP=0
> 
> I find this a bit weird due to the policy saying connections from "loc"
> to "net" should be accepted, so I'm guessing it has to do with the "SYN
> FIN" flags on the packets?  How would I allow these packets through? 
> I've tried googling this and I'm not having any luck.  I also tried some
> stuff with my rules file but it doesn't seem to change anything.

From Shorewall FAQ 17:

        logflags

        The packet is being logged because it failed the checks
        implemented by the tcpflags interface option.

So if you want to allow those bogus packets, turn off 'tcpflags' on eth0.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to