Looking at the output, it seems that your attempts to reach the blacklisted IP are matching in the fw2net policy (which is ACCEPT). This indicates that you are trying to reach the blacklisted host from your machine (which is allowed, as blacklisting works on incoming packets). What you are trying to accomplish is outbound traffic filtering. To do that, you will need to change your fw2net policy to REJECT and then specifically allow traffic to specific hosts and/or to specific ports. However, that can get rather complicated very quickly.
Regards, -Roberto On Tue, Jan 24, 2012 at 08:59:39PM +0200, Christos Bakalis wrote: > Here is the output of the command: > > Date: Mon, 23 Jan 2012 20:12:02 -0500 > From: [email protected] > To: [email protected] > Subject: Re: [Shorewall-users] Shorewall blacklisting problem ~ new user > > On Mon, Jan 23, 2012 at 01:48:24PM +0200, Christos Bakalis wrote: > > Hello! I have posted this question on linuxquestions.com but have not > yet > > received a reply. > > Can any shorewall user help me out? > > > Your problem seems to be a result of the policy "fw net ACCEPT" but I do > not use blacklisting, so to be certain I would need to see the output of > 'shorewall dump'. > > Regards, > > -Roberto > > -- > Roberto C. S�nchez > [1]http://people.connexer.com/~roberto > [2]http://www.connexer.com > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! The most > comprehensive online learning library for Microsoft developers is just > $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ Shorewall-users mailing > list [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > References > > Visible links > 1. http://people.connexer.com/%7Eroberto > 2. http://www.connexer.com/ > root@slack:/home/cb# shorewall dump > Shorewall 4.4.27 Dump at slack - Tue Jan 24 20:57:02 EET 2012 > > Counters reset Tue Jan 24 20:56:12 EET 2012 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 34 4016 wlan0_in all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > [goto] > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 wlan0_fwd all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > [goto] > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 15 785 fw2net all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > > 0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > [goto] > > Chain Broadcast (2 references) > > > pkts bytes target prot opt in out source > destination > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > ADDRTYPE match dst-type BROADCAST > > 1 36 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > ADDRTYPE match dst-type MULTICAST > > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > ADDRTYPE match dst-type ANYCAST > > 0 0 DROP all -- * * 0.0.0.0/0 > 224.0.0.0/4 > > > Chain Drop (1 references) > pkts bytes target prot opt in out source > destination > 1 36 all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:113 /* Auth */ > 1 36 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > multiport dports 135,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpts:137:139 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp spt:53 /* Late DNS Replies */ > > Chain Invalid (2 references) > pkts bytes target prot opt in out source > destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID > > Chain NotSyn (2 references) > pkts bytes target prot opt in out source > destination > 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcpflags:! 0x17/0x02 > > Chain Reject (3 references) > pkts bytes target prot opt in out source > destination > 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:113 /* Auth */ > 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > icmptype 3 code 4 /* Needed ICMP types */ > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > icmptype 11 /* Needed ICMP types */ > 0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 > multiport dports 135,445 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpts:137:139 /* SMB */ > 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp spt:137 dpts:1024:65535 /* SMB */ > 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 > multiport dports 135,139,445 /* SMB */ > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpt:1900 /* UPnP */ > 0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp spt:53 /* Late DNS Replies */ > > Chain blacklst (4 references) > pkts bytes target prot opt in out source > destination > 0 0 reject all -- * * 174.133.253.138 0.0.0.0/0 > > > Chain dynamic (5 references) > pkts bytes target prot opt in out source > destination > > Chain eth0_fwd (1 references) > pkts bytes target prot opt in out source > destination > 0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0 > [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain eth0_in (1 references) > pkts bytes target prot opt in out source > destination > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpts:67:68 > 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain fw2net (2 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpts:67:68 > 15 785 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate RELATED,ESTABLISHED > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain logdrop (0 references) > pkts bytes target prot opt in out source > destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain logreject (0 references) > pkts bytes target prot opt in out source > destination > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain net2fw (2 references) > pkts bytes target prot opt in out source > destination > 25 1308 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate RELATED,ESTABLISHED > 1 36 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain net_frwd (2 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > > Chain reject (11 references) > pkts bytes target prot opt in out source > destination > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > ADDRTYPE match src-type BROADCAST > 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 > > 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > reject-with tcp-reset > 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 > reject-with icmp-port-unreachable > 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > reject-with icmp-host-unreachable > 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 > reject-with icmp-host-prohibited > > Chain sfilter (2 references) > pkts bytes target prot opt in out source > destination > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain shorewall (0 references) > pkts bytes target prot opt in out source > destination > > Chain wlan0_fwd (1 references) > pkts bytes target prot opt in out source > destination > 0 0 sfilter all -- * wlan0 0.0.0.0/0 0.0.0.0/0 > [goto] > 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain wlan0_in (1 references) > pkts bytes target prot opt in out source > destination > 9 2708 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 9 2708 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate INVALID,NEW > 8 2672 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpts:67:68 > 26 1344 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Log (/var/log/messages) > > > NAT Table > > Chain PREROUTING (policy ACCEPT 1 packets, 36 bytes) > pkts bytes target prot opt in out source > destination > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Mangle Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source > destination > 34 4016 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain INPUT (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source > destination > 34 4016 tcin all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 > MARK and 0xffffff00 > 0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source > destination > 15 785 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source > destination > 15 785 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 > > > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcin (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpre (1 references) > pkts bytes target prot opt in out source > destination > > Raw Table > > Chain PREROUTING (policy ACCEPT 5 packets, 808 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes) > pkts bytes target prot opt in out source > destination > > Conntrack Table (62 out of 65536) > > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55083 > dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55083 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35950 > dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35950 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46678 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46678 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46686 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46686 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35951 > dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35951 [ASSURED] > mark=0 use=2 > tcp 6 431940 ESTABLISHED src=192.168.1.67 dst=64.4.34.84 sport=43818 > dport=80 src=64.4.34.84 dst=192.168.1.67 sport=80 dport=43818 [ASSURED] > mark=0 use=2 > udp 17 25 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] > src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46675 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46675 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46689 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46689 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46685 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46685 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47341 > dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47341 [ASSURED] > mark=0 use=2 > tcp 6 431918 ESTABLISHED src=192.168.1.67 dst=74.125.79.139 sport=47070 > dport=80 src=74.125.79.139 dst=192.168.1.67 sport=80 dport=47070 [ASSURED] > mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46704 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46704 [ASSURED] > mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46705 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46705 [ASSURED] > mark=0 use=2 > tcp 6 431912 ESTABLISHED src=192.168.1.67 dst=173.194.70.120 sport=55088 > dport=80 src=173.194.70.120 dst=192.168.1.67 sport=80 dport=55088 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53006 > dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53006 [ASSURED] > mark=0 use=2 > tcp 6 68 TIME_WAIT src=192.168.1.67 dst=141.101.124.244 sport=55070 > dport=80 src=141.101.124.244 dst=192.168.1.67 sport=80 dport=55070 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46682 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46682 [ASSURED] > mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46697 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46697 [ASSURED] > mark=0 use=2 > udp 17 114 src=192.168.1.67 dst=192.168.1.254 sport=42104 dport=53 > src=192.168.1.254 dst=192.168.1.67 sport=53 dport=42104 [ASSURED] mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46707 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46707 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46684 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46684 [ASSURED] > mark=0 use=2 > tcp 6 18 TIME_WAIT src=192.168.1.67 dst=64.4.61.111 sport=46612 > dport=1863 src=64.4.61.111 dst=192.168.1.67 sport=1863 dport=46612 [ASSURED] > mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46709 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46709 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46672 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46672 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46132 > dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46132 [ASSURED] > mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=66.211.169.74 sport=57631 > dport=443 src=66.211.169.74 dst=192.168.1.67 sport=443 dport=57631 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53005 > dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53005 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46674 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46674 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46673 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46673 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46679 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46679 [ASSURED] > mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=72.52.240.152 sport=47340 > dport=80 src=72.52.240.152 dst=192.168.1.67 sport=80 dport=47340 [ASSURED] > mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46727 > dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46727 [ASSURED] > mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46703 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46703 [ASSURED] > mark=0 use=2 > tcp 6 54 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58134 dport=80 > src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58134 [ASSURED] mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46690 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46690 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46692 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46692 [ASSURED] > mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46710 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46710 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46676 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46676 [ASSURED] > mark=0 use=2 > tcp 6 53 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46687 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46687 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46728 > dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46728 [ASSURED] > mark=0 use=2 > tcp 6 101 TIME_WAIT src=192.168.1.67 dst=207.46.124.167 sport=59723 > dport=1863 src=207.46.124.167 dst=192.168.1.67 sport=1863 dport=59723 > [ASSURED] mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46734 > dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46734 [ASSURED] > mark=0 use=2 > tcp 6 85 TIME_WAIT src=192.168.1.67 dst=141.101.125.244 sport=46148 > dport=80 src=141.101.125.244 dst=192.168.1.67 sport=80 dport=46148 [ASSURED] > mark=0 use=2 > tcp 6 431972 ESTABLISHED src=192.168.1.67 dst=64.4.44.85 sport=51576 > dport=1863 src=64.4.44.85 dst=192.168.1.67 sport=1863 dport=51576 [ASSURED] > mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46708 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46708 [ASSURED] > mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46729 > dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46729 [ASSURED] > mark=0 use=2 > tcp 6 42 TIME_WAIT src=192.168.1.67 dst=141.101.125.37 sport=35952 > dport=80 src=141.101.125.37 dst=192.168.1.67 sport=80 dport=35952 [ASSURED] > mark=0 use=2 > tcp 6 431911 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47311 > dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47311 [ASSURED] > mark=0 use=2 > tcp 6 58 TIME_WAIT src=192.168.1.67 dst=199.7.50.72 sport=58135 dport=80 > src=199.7.50.72 dst=192.168.1.67 sport=80 dport=58135 [ASSURED] mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46677 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46677 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46717 > dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46717 [ASSURED] > mark=0 use=2 > tcp 6 431627 ESTABLISHED src=192.168.1.67 dst=62.1.38.9 sport=58460 > dport=80 [UNREPLIED] src=62.1.38.9 dst=192.168.1.67 sport=80 dport=58460 > mark=0 use=2 > tcp 6 431914 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47312 > dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47312 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46683 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46683 [ASSURED] > mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=62.1.38.18 sport=42653 > dport=80 src=62.1.38.18 dst=192.168.1.67 sport=80 dport=42653 [ASSURED] > mark=0 use=2 > tcp 6 52 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46680 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46680 [ASSURED] > mark=0 use=2 > tcp 6 431917 ESTABLISHED src=192.168.1.67 dst=209.85.229.94 sport=47314 > dport=80 src=209.85.229.94 dst=192.168.1.67 sport=80 dport=47314 [ASSURED] > mark=0 use=2 > tcp 6 38 TIME_WAIT src=192.168.1.67 dst=95.172.94.55 sport=46162 > dport=80 src=95.172.94.55 dst=192.168.1.67 sport=80 dport=46162 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=141.101.126.243 sport=53004 > dport=80 src=141.101.126.243 dst=192.168.1.67 sport=80 dport=53004 [ASSURED] > mark=0 use=2 > tcp 6 59 TIME_WAIT src=192.168.1.67 dst=174.133.253.138 sport=46706 > dport=80 src=174.133.253.138 dst=192.168.1.67 sport=80 dport=46706 [ASSURED] > mark=0 use=2 > tcp 6 84 TIME_WAIT src=192.168.1.67 dst=199.27.134.243 sport=46718 > dport=80 src=199.27.134.243 dst=192.168.1.67 sport=80 dport=46718 [ASSURED] > mark=0 use=2 > > IP Configuration > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > inet 127.0.0.1/8 scope host lo > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen > 1000 > inet 192.168.1.67/24 brd 192.168.1.255 scope global wlan0 > > IP Stats > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > RX: bytes packets errors dropped overrun mcast > 880 16 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 880 16 0 0 0 0 > 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state > DOWN qlen 1000 > link/ether 00:1e:ec:a4:e8:fb brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 0 0 0 0 0 0 > TX: bytes packets errors dropped carrier collsns > 0 0 0 0 0 0 > 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen > 1000 > link/ether 00:1f:e2:c1:93:32 brd ff:ff:ff:ff:ff:ff > RX: bytes packets errors dropped overrun mcast > 10211554 11641 0 20 0 0 > TX: bytes packets errors dropped carrier collsns > 1852705 9365 0 0 0 0 > > Bridges > > bridge name bridge id STP enabled interfaces > > Per-IP Counters > > iptaccount is not installed > > /proc > > /proc/version = Linux version 2.6.38.7-smp (root@midas) (gcc version 4.5.3 > (GCC) ) #2 SMP Sat May 21 23:13:29 CDT 2011 > /proc/sys/net/ipv4/ip_forward = 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 > /proc/sys/net/ipv4/conf/all/proxy_arp = 0 > /proc/sys/net/ipv4/conf/all/arp_filter = 0 > /proc/sys/net/ipv4/conf/all/arp_ignore = 0 > /proc/sys/net/ipv4/conf/all/rp_filter = 0 > /proc/sys/net/ipv4/conf/all/log_martians = 0 > /proc/sys/net/ipv4/conf/default/proxy_arp = 0 > /proc/sys/net/ipv4/conf/default/arp_filter = 0 > /proc/sys/net/ipv4/conf/default/arp_ignore = 0 > /proc/sys/net/ipv4/conf/default/rp_filter = 0 > /proc/sys/net/ipv4/conf/default/log_martians = 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 > /proc/sys/net/ipv4/conf/eth0/log_martians = 1 > /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 > /proc/sys/net/ipv4/conf/lo/arp_filter = 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 > /proc/sys/net/ipv4/conf/lo/rp_filter = 0 > /proc/sys/net/ipv4/conf/lo/log_martians = 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/arp_ignore = 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter = 0 > /proc/sys/net/ipv4/conf/wlan0/log_martians = 1 > > Routing Rules > > 0: from all lookup local > 32766: from all lookup main > 32767: from all lookup default > > Table default: > > > Table local: > > local 192.168.1.67 dev wlan0 proto kernel scope host src 192.168.1.67 > broadcast 192.168.1.0 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > broadcast 192.168.1.255 dev wlan0 proto kernel scope link src 192.168.1.67 > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > Table main: > > 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.67 metric > 303 > 127.0.0.0/8 dev lo scope link > default via 192.168.1.254 dev wlan0 metric 303 > > ARP > > ? (192.168.1.254) at 00:1f:9f:eb:5c:9e [ether] on wlan0 > > Modules > > ip_set 10840 18 > ipt_set,ipt_SET,ip_set_nethash,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash > ip_set_iphash 6148 0 > ip_set_ipmap 2782 0 > ip_set_ipporthash 6531 0 > ip_set_iptree 4614 0 > ip_set_iptreemap 8076 0 > ip_set_macipmap 2821 0 > ip_set_nethash 7373 0 > ip_set_portmap 2936 0 > ip_tables 9267 4 > iptable_raw,iptable_nat,iptable_mangle,iptable_filter > ipt_CLUSTERIP 4957 0 > ipt_ECN 1532 0 > ipt_LOG 6486 5 > ipt_MASQUERADE 1294 0 > ipt_NETMAP 901 0 > ipt_REDIRECT 875 0 > ipt_REJECT 2021 4 > ipt_SET 1267 0 > ipt_ULOG 4885 0 > ipt_addrtype 1589 4 > ipt_ah 857 0 > ipt_ecn 1084 0 > ipt_set 1108 0 > iptable_filter 1092 1 > iptable_mangle 1252 1 > iptable_nat 3388 0 > iptable_raw 1016 0 > nf_conntrack 44795 32 > xt_CT,xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 > nf_conntrack_amanda 1713 1 nf_nat_amanda > nf_conntrack_ftp 4789 1 nf_nat_ftp > nf_conntrack_h323 36572 1 nf_nat_h323 > nf_conntrack_ipv4 9597 15 iptable_nat,nf_nat > nf_conntrack_irc 2607 1 nf_nat_irc > nf_conntrack_netbios_ns 1070 0 > nf_conntrack_netlink 11900 0 > nf_conntrack_pptp 3890 1 nf_nat_pptp > nf_conntrack_proto_gre 3073 1 nf_conntrack_pptp > nf_conntrack_proto_sctp 5766 0 > nf_conntrack_proto_udplite 2315 0 > nf_conntrack_sane 2788 0 > nf_conntrack_sip 16024 1 nf_nat_sip > nf_conntrack_tftp 2497 1 nf_nat_tftp > nf_defrag_ipv4 1015 2 xt_TPROXY,nf_conntrack_ipv4 > nf_defrag_ipv6 4849 1 xt_TPROXY > nf_nat 12344 12 > ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat > nf_nat_amanda 836 0 > nf_nat_ftp 1280 0 > nf_nat_h323 5291 0 > nf_nat_irc 1050 0 > nf_nat_pptp 2006 0 > nf_nat_proto_gre 1013 1 nf_nat_pptp > nf_nat_sip 5656 0 > nf_nat_snmp_basic 7101 0 > nf_nat_tftp 674 0 > nf_tproxy_core 824 1 xt_TPROXY,[permanent] > xt_CLASSIFY 681 0 > xt_CT 1415 0 > xt_DSCP 1703 0 > xt_NFLOG 834 0 > xt_NFQUEUE 1481 0 > xt_TPROXY 4043 0 > xt_comment 679 18 > xt_connlimit 2606 0 > xt_connmark 1457 0 > xt_conntrack 2237 12 > xt_dccp 1799 0 > xt_dscp 1231 0 > xt_hashlimit 6153 0 > xt_helper 1063 0 > xt_iprange 1316 0 > xt_length 864 0 > xt_limit 1447 0 > xt_mac 799 0 > xt_mark 889 1 > xt_multiport 1522 4 > xt_owner 867 0 > xt_physdev 1368 0 > xt_pkttype 807 0 > xt_policy 2150 0 > xt_realm 707 0 > xt_recent 6458 0 > xt_state 963 0 > xt_tcpmss 1125 0 > xt_tcpudp 1939 14 > xt_time 1663 0 > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Extended Connection Tracking Match Support: Available > Packet Type Match: Available > Policy Match: Available > Physdev Match: Available > Physdev-is-bridged Support: Available > Packet length Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Available > CONNMARK Target: Available > Extended CONNMARK Target: Available > Connmark Match: Available > Extended Connmark Match: Available > Raw Table: Available > Rawpost Table: Not available > IPP2P Match: Not available > CLASSIFY Target: Available > Extended REJECT: Available > Repeat match: Available > MARK Target: Available > Extended MARK Target: Available > Extended MARK Target 2: Available > Mangle FORWARD Chain: Available > Comments: Available > Address Type Match: Available > TCPMSS Match: Available > Hashlimit Match: Available > NFQUEUE Target: Available > Realm Match: Available > Helper Match: Available > Connlimit Match: Available > Time Match: Available > Goto Support: Available > LOGMARK Target: Not available > IPMARK Target: Not available > LOG Target: Available > ULOG Target: Available > NFLOG Target: Available > Persistent SNAT: Available > TPROXY Target: Available > FLOW Classifier: Available > fwmark route mask: Available > Mark in any table: Available > Header Match: Not available > ACCOUNT Target: Not available > AUDIT Target: Not available > ipset V5: Not available > Condition Match: Not available > iptables -S: Available > Basic Filter: Available > CT Target: Available > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > PID/Program name > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > 1860/sshd > tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN > 1855/inetd > tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN > 2244/X > tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN > 1855/inetd > tcp 0 0 192.168.1.67:47311 209.85.229.94:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55088 173.194.70.120:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:55083 173.194.70.120:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:43818 64.4.34.84:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47314 209.85.229.94:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:59723 207.46.124.167:1863 TIME_WAIT > - > tcp 0 0 192.168.1.67:51576 64.4.44.85:1863 > ESTABLISHED 2505/pidgin > tcp 0 0 192.168.1.67:47312 209.85.229.94:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:47070 74.125.79.139:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:42653 62.1.38.18:80 > ESTABLISHED 2506/firefox > tcp 0 0 192.168.1.67:57795 65.55.85.91:443 > ESTABLISHED 2505/pidgin > tcp 0 0 :::22 :::* LISTEN > 1860/sshd > tcp 0 0 :::6000 :::* LISTEN > 2244/X > udp 0 0 0.0.0.0:512 0.0.0.0:* > 1855/inetd > udp 0 0 0.0.0.0:37 0.0.0.0:* > 1855/inetd > > Traffic Control > > Device eth0: > qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 > 1 1 1 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > Device wlan0: > qdisc mq 0: root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > class mq :1 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :2 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :3 root > Sent 1684135 bytes 9365 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > class mq :4 root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > backlog 0b 0p requeues 0 > > > TC Filters > > Device eth0: > > Device wlan0: > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
