Thanks for the help, Tom. I was using official ubuntu 12.04. So there must be something wrong with the kernel.
I then tried ubuntu 10.04. Everything works correctly. Bin On Wed, Sep 26, 2012 at 6:36 PM, Tom Eastep <[email protected]> wrote: > On 9/26/12 4:46 PM, "Bin Wang" <[email protected]> wrote: > >>Hi Tom, >> >>Here is the info you asked. >> >>1. Start shorewall6 >> >>root@ubuntu:/etc/shorewall6# shorewall6 start >>Compiling... >>Processing /etc/shorewall6/shorewall6.conf... >>Loading Modules... >>Compiling /etc/shorewall6/zones... >>Compiling /etc/shorewall6/interfaces... >>Determining Hosts in Zones... >>Locating Action Files... >>Compiling /usr/share/shorewall6/action.Drop for chain Drop... >>Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... >>Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >>Compiling /usr/share/shorewall/action.Invalid for chain Invalid... >>Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... >>Compiling /usr/share/shorewall6/action.Reject for chain Reject... >>Compiling /etc/shorewall6/policy... >>Compiling TCP Flags filtering... >>Compiling MAC Filtration -- Phase 1... >>Compiling /etc/shorewall6/rules... >>Compiling MAC Filtration -- Phase 2... >>Applying Policies... >>Generating Rule Matrix... >>Creating ip6tables-restore input... >>Shorewall configuration compiled to /var/lib/shorewall6/.start >>Starting Shorewall6.... >>Initializing... >>Setting up Traffic Control... >>Preparing ip6tables-restore input... >>Running /sbin/ip6tables-restore... >>IPv6 Forwarding Disabled! >>done. >> >>2. Ping the destination IP, it is OK >> >>root@ubuntu:/etc/shorewall6# ping6 2001:4998:c:401::c:9101 >>PING 2001:4998:c:401::c:9101(2001:4998:c:401::c:9101) 56 data bytes >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=1 ttl=48 time=87.1 ms >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=2 ttl=48 time=86.1 ms >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=3 ttl=48 time=83.9 ms >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=4 ttl=48 time=86.1 ms >> >>3. Telnet to the HTTP port. The TCP connection timed out eventually. >>But I expect the TCP connection refused immediately. >> >>root@ubuntu:/etc/shorewall6# telnet 2001:4998:c:401::c:9101 80 >>Trying 2001:4998:c:401::c:9101... >>telnet: Unable to connect to remote host: Connection timed out >> >>4. The output from "root@ubuntu:/etc/shorewall6# shorewall6 dump -l -x >>-m > status.txt" is attached. > > It appears that REJECT is acting like DROP with your kernel. There is > nothing that you can do with your Shorewall configuration to correct this. > Is this an official Ubuntu kernel? If so, I would submit a problem report. > > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice. > > > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
