No, I do not even have a stoppedrules file: munin:~$ cat /etc/shorewall/stoppedrules cat: /etc/shorewall/stoppedrules: No such file or directory munin:~$
I have udp 123 forwarded (DNAT) to the box running ntpd. All works well but of some reason some packets are dropped every time I reboot. I guess that is normal behaviour since the purpose of shorewall-init is to close the FW prior to networking since networking is brought up before shorewall is started. But I don't understand why these packets are still dropped when shorewall is running. All new udp connections is accepted and forwarded to the ntpd box. But running conntrack -F fixes the problem. ________________________________________ From: Tom Eastep [[email protected]] Sent: Monday, January 6, 2014 20:10 To: [email protected] Subject: Re: [Shorewall-users] Closing FW prior to network initialization On 1/6/2014 8:27 AM, Øyvind Lode wrote: > Hi: > > I configured shorewall-init on my debian fw to avoid messages like this: > > ____________________________ > > Jan 6 17:08:54 munin Shorewall:net2fw:DROP: IN=eth0 OUT= > MAC=48:5b:39:ac:1b:5e: > 00:12:da:a4:14:bf:08:00 SRC=213.162.248.20 DST=81.166.42.2 LEN=76 TOS=00 > PREC=0x > 00 TTL=56 ID=0 DF PROTO=UDP SPT=439 DPT=123 LEN=56 MARK=0 > Jan 6 17:08:58 munin Shorewall:net2fw:DROP: IN=eth0 OUT= > MAC=48:5b:39:ac:1b:5e: > 00:12:da:a4:14:bf:08:00 SRC=193.212.132.34 DST=81.166.42.2 LEN=76 TOS=00 > PREC=0x > 00 TTL=114 ID=26939 PROTO=UDP SPT=23009 DPT=123 LEN=56 MARK=0 > Jan 6 17:09:00 munin Shorewall:net2fw:DROP: IN=eth0 OUT= > MAC=48:5b:39:ac:1b:5e: > 00:12:da:a4:14:bf:08:00 SRC=88.84.190.34 DST=81.166.42.2 LEN=76 TOS=00 > PREC=0x00 > TTL=116 ID=33107 PROTO=UDP SPT=227 DPT=123 LEN=56 MARK=0 > Jan 6 17:09:14 munin Shorewall:net2fw:DROP: IN=eth0 OUT= > MAC=48:5b:39:ac:1b:5e: > 00:12:da:a4:14:bf:08:00 SRC=193.212.132.34 DST=81.166.42.2 LEN=76 TOS=00 > PREC=0x > 00 TTL=114 ID=27111 PROTO=UDP SPT=23009 DPT=123 LEN=56 MARK=0 > > ____________________________ > > I have a public ntp server running on a box behind the fw. > > Tom (Eastep) recommended me to configure shorewall-init to get rid of these > log entries. > > I installed shorewall-init and configured it to close the fw prior to network > with: > > PRODUCTS="shorewall" > > In /etc/default/shorewall-init > > As I understand it this should be sufficient to close the fw before bringing > up networking. > > But I see the above messages in the log when I reboot. > > Flushing the connection tracking table is the only solution by running > 'conntrack -F'. > > But when I reboot the fw similar entries reappear in my fw logs and I have to > run conntrack -F manually. > > How can I prevent these entries cluttering my log? > > Shorewall 4.5.21.5 on debian sid running linux 3.12.6 > > Please let me know if you need additional info about my config to help me > solve this problem. Do you have anything in stoppedrules? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
