A bit of background: on one of my firewall machines, there are 7 different interfaces - 2 outward-facing, connected to the outside world (eth0 and tun0) and 5 inward-facing interfaces, connected to various internal networks (eth1-4). I also have a local zone on lo, which is also managed by shorewall, with various rules in existence. It is worth mentioning that I also have strict control of all related connections, with the appropriate logging set on all zones/interfaces.
Now, when say, eth3 and eth4 have established connections to various IP addresses to the outside world via eth0 (with the appropriate masquerading set) and the link on eth0 drops, I get a flurry of about 30-40 entries in my logs consisting of icmp type 3, code 1 messages with source address set as the eth0 IP address and destination address set as the originating IP address, belonging to subnets of which my eth3 and eth4 interfaces are part of. So far so good and is more or less what I expect to see in such instances. What is rather bizarre and a complete mystery to me, however, is that all of this goes through lo! Yes, that's right - I am seeing these logs appear on my +fw2local zone, which is responsible for packets from/to the local zone, consisting of a single interface - the loopback, not the zones which are responsible for handling packets from/to eth3 or eth4. In other words, I expected to see these packets appear in one of +fw2eth3, +fw2eth4, +eth02eth3 or +eth02eth4 zones, not on my +fw2local zone. The actual logs confirm that the out interface is indeed the loopback (lo), even though none of the addresses involved (source/destination IP addresses of either related or the actual connection) are on the loopback interface. Just to make sure, I checked my OUTPUT chain and there is indeed a rule in it, which directs all packets going out of lo to my fw2local zone and all RELATED connections then go to +fw2local. None of these packets reach their destination, which is hardly surprising since the out interface is the loopback. So, the big question is - have I done something wrong, is this a shorewall bug or is there something fundamentally wrong with the netfilter setup? ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
