On Sat, 8 Sep 2012, Tom Eastep wrote: > Here's a clue. We see this log message: > > Sep 8 19:14:37 br2_rec:REJECT:IN=br2 OUT=br1 SRC=192.168.0.23 > DST=192.168.4.2 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=6379 PROTO=UDP > SPT=123 DPT=123 LEN=56 > > It is being rejected because there is maclist no entry for 192.168.0.3 > on br2 (which is the bridge on which this packet was received). > > In fact, there is no maclist entry for that IP address at all. When you > see packets being rejected in one of the _rec chains, you must check > your maclist entries.
Ah, but there _is_ an entry in the maclist file for this IP address. An extract: ACCEPT br2 84:2B:2B:47:D6:85 192.168.0.3 ACCEPT br2 84:2B:2B:47:D6:86 192.168.0.3 ACCEPT br2 00:1B:21:6F:2B:54 192.168.0.3 ACCEPT br2 00:1B:21:6F:2B:55 192.168.0.3 which has four entries because the software that builds the maclist file does not know which MAC address is associated with which IP (the machine in question has four interfaces). I know for sure that the maclist is accurate; it has entries for every MAC address on the network (the maclist file has 580 entries). Again, this configuration has worked for 5+ years until the introduction of virtual machines into the configuration. > Let's try to solve the other problem where no 'maclist' entries are > present. Please: > 1. Remove 'maclist' from all interfaces. > 2. Restart the firewall. > 3. Try a connection that fails. > 4. Capture and post the output of 'shorewall dump'. Will do. > PS -- What in the world are you trying to accomplish with this > configuration? I've never seen anything so bizarre (dozens of RFC1918 > addresses being DNATed to public IPs). Surely there has to be a better way. Indeed there should be a better way. However, I have this configuration forced on me by "higher" levels. Originally I DNAT'd the whole mess to a single public IP, but if the "higher" levels detect a source of malware from one of the internal systems (Windows, of course), they block the public IP from internet access, hence taking out the entire department. Hence this configuration has essentially been forced on me. I don't like it one bit, but I'm fighting City Hall. I thank you enormously for your input, Tom. You are a king. Steve ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
