On Jul 2, 2013, at 2:02 AM, Øyvind Lode <[email protected]> wrote: >> But why are they dropped? Because of SPT != 123? > > I don't know. > > But that is exactly what I'm trying to find out. > > The only rule I have regarding ntp is: > > NTP(DNAT) net loc:192.168.1.2 > > 192.168.1.2 is my internal box running ntpd. > > All works well but Shorewall is dropping the packets I pasted in my previous > message.
Shorewall is not dropping them; your kernel is. Shorewall is a configuration tool; it doesn't do any packet filtering itself. I suspect that these hosts were sending packets prior to the firewall starting (before the DNAT rule was in place). We often see a similar problem with SIP. A un-NATTed connection tracking table entry gets created for them, and all subsequent packets are handled based on that entry. You can install the 'conntrack' utility and use it to remove the (un-NATTed) conntrack entries for these hosts; or simply 'shorewall restart -p'. Note that the latter command deletes *all* conntrack entries, which may cause some connections to be dropped. This problem can usually be prevented by installing and configuring Shorewall-init. -Tom Tom Eastep \ Nothing is foolproof to a Shoreline, \ sufficiently talented fool Washington, USA \ http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
