Here's another shorewall dump while pinging from a host with IP address 192.168.215.201 connected to a VLAN 1 Untagged switch port to the $FW's IP address 192.168.210.1 whose ethernet interface is connected to a VLAN 1 Tagged switch port (it is also Tagged VLAN 11).
https://drive.google.com/open?id=1Yir0pYxF4FfrfnE8THFQa09kaDPD6CsZ I'm expecting DROPs because of my policy. The only ACCEPT rule I have is: Ping/ACCEPT:info dmz11 $FW However, the ICMP requests/replies are flowing. # tcpdump -n -i enp8s5 -e dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp8s5, link-type EN10MB (Ethernet), capture size 262144 bytes 15:00:41.249573 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11488, length 40 15:00:41.249643 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11488, length 40 15:00:42.252547 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11489, length 40 15:00:42.252594 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11489, length 40 15:00:43.255624 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11490, length 40 15:00:43.255683 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11490, length 40 15:00:44.259597 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11491, length 40 15:00:44.259666 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11491, length 40 15:00:45.262619 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11492, length 40 15:00:45.262671 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11492, length 40 15:00:46.265721 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11493, length 40 15:00:46.265779 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11493, length 40 15:00:46.697949 48:ee:0c:37:8e:2e > 01:80:c2:00:00:0e, ethertype LLDP (0x88cc), length 60: LLDP, length 46 15:00:47.268733 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11494, length 40 15:00:47.268814 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11494, length 40 15:00:48.272706 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11495, length 40 15:00:48.272752 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11495, length 40 15:00:49.120878 fc:ec:da:a0:40:a5 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4, 192.168.210.48.50227 > 255.255.255.255.10001: UDP, length 146 15:00:49.121759 fc:ec:da:a0:40:a5 > 33:33:00:00:00:01, ethertype 802.1Q (0x8100), length 212: vlan 1, p 0, ethertype IPv6, fe80::feec:daff:fea0:40a5.43336 > ff02::1.10001: UDP, length 146 15:00:49.121950 fc:ec:da:a0:3d:a7 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 192: vlan 1, p 0, ethertype IPv4, 192.168.210.49.57553 > 255.255.255.255.10001: UDP, length 146 15:00:49.275777 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11496, length 40 15:00:49.275830 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11496, length 40 15:00:50.278810 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11497, length 40 15:00:50.278883 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11497, length 40 15:00:51.282792 00:24:54:d9:cb:e4 > 00:e3:c0:5f:81:5d, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.201 > 192.168.215.1: ICMP echo request, id 1, seq 11498, length 40 15:00:51.282856 00:e3:c0:5f:81:5d > 00:24:54:d9:cb:e4, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, 192.168.215.1 > 192.168.215.201: ICMP echo reply, id 1, seq 11498, length 40 ^C Why isn't the ICMP request dropped? Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
