---------- Forwarded message --------- From: Vieri Di Paola <vieridipa...@gmail.com> Date: Tue, Nov 13, 2018 at 11:34 AM Subject: Re: [Shorewall-users] shorewall VLANs and network ranges To: <shorewall-users@lists.sourceforge.net> > > Here's the shorewall dump when I try to ping $FW (192.168.215.1) from > a host in "dmz0" with IP address 192.168.215.200: > > https://drive.google.com/open?id=1ldm7DZvTEgaMqtt7Rt_PydWGd-XcSwWd > > The dmz0 host gets ICMP replies from the Firewall. Why? > How can I properly reject this traffic?
Well, oddly enough, the ICMP traffic started to be rejected AFTER quite a while... Still though, I'm expecting to see a REJECT message on a regular basis in Shorewall's log because the host at 192.168.215.200 is pinging 192.168.210.1 continuously. Instead, here's the log: Nov 13 11:43:50 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32297 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7884 Nov 13 11:43:51 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32298 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7885 Nov 13 11:43:52 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32299 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7886 Nov 13 11:43:53 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32302 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7887 Nov 13 11:43:58 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32305 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7888 Nov 13 11:43:59 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32310 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7889 Nov 13 11:44:00 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32311 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7890 Nov 13 11:44:01 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32313 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7891 Nov 13 11:44:02 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32314 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7892 Nov 13 11:44:03 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32315 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7893 Nov 13 11:44:04 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32316 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7894 Nov 13 11:44:05 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32318 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7895 Nov 13 11:44:06 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32319 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7896 Nov 13 11:44:07 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32320 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7897 Nov 13 11:44:08 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32321 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7898 Nov 13 11:44:09 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32326 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7899 Nov 13 11:44:10 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32329 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7900 Nov 13 11:44:11 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32330 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7901 Nov 13 11:44:12 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32333 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7902 Nov 13 11:44:13 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32334 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7903 Nov 13 11:44:14 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32335 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7904 Nov 13 11:44:20 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32339 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7906 Nov 13 11:44:21 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32340 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7907 Nov 13 11:44:22 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32346 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7908 Nov 13 11:44:27 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32347 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7909 Nov 13 11:44:28 inf-fw2 kernel: Shorewall:dmz0-fw:REJECT:IN=br0 OUT= PHYSIN=enp8s5 MAC=00:e3:c0:5f:81:5d:f4:39:09:d9:14:c8:08:00 SRC=192.168.215.200 DST=192.168.215.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=32348 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7910 Notice the jumps between 11:44:14-11:44:20 and 11:43:53-11:43:58. Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
