hello every one, I try to create a bridged firewall (http://www1.shorewall.net/bridge-Shorewall-perl.html). The bridge is working fine and I can see the trafic going through. However REJECT rules behave like DROP rules.
I have read in the documentation that "The bridge must also have an IP address for REJECT rules and policies to work correctly — otherwise REJECT behaves the same as DROP". But my bridge does have an IP address and I'm stuck and I would be happy if someone could help to troubleshot my setup. With "shorewall show" I can see the pkts column does get incremented on the REJECT line of the Chain reject when the packet is rejected #shorewall show ... Chain reject (9 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 73 4380 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ... However I don't get any tcp-rst from the iptables when I check with the following command, whether I check on eth0, eth1 or br0. tcpdump -n -v 'tcp[tcpflags] & (tcp-rst) != 0' -i eth1 I have setup with * debian squeeze 6.0.5 stock install, * kernel 2.6.32-5-486, * shorewall 4.4.11.6-3+squeeze1, * iptables 1.4.8-3, * bridge-utils 1.4-5 # cat /boot/config-2.6.32-5-486 | grep CONFIG_BRIDGE= CONFIG_BRIDGE=m # cat /boot/config-2.6.32-5-486 | grep CONFIG_BRIDGE_NETFILTER= CONFIG_BRIDGE_NETFILTER=y # cat /boot/config-2.6.32-5-486 | grep PHYSDEV= CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m # cat /etc/network/interfaces auto lo iface lo inet loopback iface eth0 inet manual iface eth1 inet manual # Bridge setup auto br0 iface br0 inet static address 192.168.149.30 netmask 255.255.255.0 network 192.168.149.0 broadcast 192.168.149.255 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 pre-down /usr/sbin/brctl delif br0 eth0 pre-down /sbin/ip link set eth0 down pre-down /usr/sbin/brctl delif br0 eth1 pre-down /sbin/ip link set eth1 down post-down /usr/sbin/brctl delbr br0 Thanks a lot, Yvan -- Yvan Karmouta Tranquil IT Systems 12 rue Jules Verne 44230 Saint Sébastien sur loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
