Tom Eastep wrote: > Okay -- I'm seeing some similar bizarreness on my own firewall; I'm relieved it isn't just me!
> last episode was on 10/24 where I see a number of these from ulogd: > > Oct 24 09:15:54 gateway : +loop-fw REJECT IN=lo OUT= > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=54.236.187.178 > DST=10.0.0.4 LEN=40 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 > DPT=41763 SEQ=0 ACK=2096124008 WINDOW=0 ACK RST URGP=0 > > In this case, 54.236.187.178 is an external host and 10.0.0.4 is the > IPv4 address of eth0. eth0 is a provider interface sitting behind a NAT > router. So clearly, the original input interface should have been eth0, > not lo. Precisely. Very similar scenario here. The difference in my case is that the connection has already been established, but all else matches what you've described above. One other difference is that "lo" is the out interface in my case. What I've done today is I replaced the main INPUT/OUTPUT rules governing the loopback and introduced a restriction on the fw2local and local2fw iptables rules so that the source/destination is matched to be 127.0.0.1 and not "all" (0.0.0.0) as was the case before. After doing that, I established a connection from one of the machines on my "eth1" subnet and when that connection was established (internal machine -> eth1 (fw) -> eth0 (fw) -> NAT -> external IP address) I pulled the plug on eth0. Surprise, surprise, I saw about 20 packets DROPped in my Shorewall:OUTPUT:DROP chain via ulogd2 and all had "lo" as the outgoing interface. > Also hard to see why this was classified as RELATED, given that > my firewall drops external connection requests on port 8080. > What kernel are you using? I am on 3.11 and don't remember seeing this with previous kernel versions? > I'm leaving town shorty and will be gone for several days, but I can > look at this more closely when I return. > No problem Tom. ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
