Hello Tom, Many thanks for your help sorting out my issue.
The problem that I was experiencing appears to have been caused by a dodgy modem/router. Once I replaced the modem/router, my incoming and outgoing connections are working fine. For others: In my case, the connectivity issues were interspersed in the log file with martian destination messages such as: ===== Feb 21 10:16:06 fw kernel: [173036.380121] IPv4: martian destination 0.0.0.0 from 49.199.143.136, dev eth0 ===== I did extensive searching for 'martian destination’ posts on the web, but found very little information on their cause. The best explanation for ‘martian destination’ messages that I have seen to date, came from Tom Eastep. In my case: ===== The (‘martian destination’) packets are coming from your laptop, but it appears that the modem/router is mangling them (setting destination IP to 0.0.0.0). Note that if your laptop would have actually sent such packets, they would have never reached your on-prem modem/router. Messages like the above indicate that the packets are being dropped by the Linux IP stack. ===== After replacing my external modem/router all is OK and I have not received any more such messages to date. Kind regards, Bruce Bannerman > On 24 Feb 2020, at 18:30, Bruce Bannerman <bruban...@gmail.com> wrote: > > Tom, > > Thanks for the tip regarding the dodgy router/modem. > > I have now replaced it and run another set of tests: > > I’m still set up using the router/modem port forward configuration. > All tests appeared to work OK: domain, smtp, smtps, msa, imaps, http, https > I did not see any martian destination packets. > > I’ve included shorewall_dump-4 below. > > <snip/> > > Kind regards, > > Bruce > > > > <shorewall_dump-4.tar.gz> > >> On 23 Feb 2020, at 08:18, Bruce Bannerman <bruban...@gmail.com >> <mailto:bruban...@gmail.com>> wrote: >> >> Regarding Martian packets: >> >> Yes, I’m still seeing many of them under the router/modem port forward >> configuration. >> >> I’ll replace my modem tomorrow and try again. >> >> Thanks for the pointer. >> >> Kind regards, >> >> Bruce >> >> >> >>> On 23 Feb 2020, at 5:21 am, Tom Eastep <teas...@shorewall.net >>> <mailto:teas...@shorewall.net>> wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA512 >>> >>>> On 2/21/20 12:20 PM, Bruce Bannerman wrote: >>>> Hi Tom, >>>> >>>> I have some partial improvement that may help. >>>> >>>> >>>> I have: >>>> >>>> * reset my nameserver to point each of my ‘servers’ to the IP >>>> address of the external interface of my external router/modem. * on >>>> the external router/modem, I configured WAN Port Forwarding to >>>> point to several of the same /28 subnet external addresses as per >>>> my previous emails: o http, https 203.214.66.103 >>>> o smtp 203.214.66.100 o smtps, msa, imaps >>>> 203.214.66.104 * made no changes to my shorewall configuration. * >>>> made no changes to the network addresses or routing configuration >>>> of my servers. * made no changes to my web server, or reverse proxy >>>> server >>> configuration. >>>> >>>> >>>> When testing externally I can now access the website at >>>> www.foss4climate.org <http://www.foss4climate.org/> >>>> <http://www.foss4climate.org <http://www.foss4climate.org/>>. However, >>>> access >>>> is considerably slower than normal. >>>> >>>> NB: These tests were conducted soon after I made my nameserver >>>> changes. While my laptop’s nameserver could get the correct URL for >>>> the website. it had not picked up the correct URL for my mail >>>> servers. So ignore the mail related connections. >>>> >>>> Also note that my shorewall configuration does not take account of >>>> the router/modem's external interface, or IP address. It just >>>> accounts for the modem’s internal IP Address. >>>> >>>> Shorewall Dump for test 3 is attached. >>>> >>>> IP Addresses in test 3: >>>> >>>> 203.214.66.97external router/modem gateway (internal interface) >>>> >>>> 203.214.66.103Reverse Proxy Server 172.16.4.203Web Server >>>> 49.199.104.114Laptop’s updated IP address >>> >>> Is seems to me that from the Shorewall box's point of view, this >>> configuration should be no difference that the one where DNS resolves >>> to the actual server addresses - by the time that packets reach the >>> Shorewall system, they should look the same. Are you still seeing >>> martian packets with this configuration? >>> >>> - -Tom >>> - -- >>> Tom Eastep \ Q: What do you get when you cross a mobster >>> Shoreline, \ with an international standard? >>> Washington, USA \ A: Someone who makes you an offer you >>> http://shorewall.org <http://shorewall.org/> \ can't understand >>> \________________________________________ >>> -----BEGIN PGP SIGNATURE----- >>> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/> >>> >>> iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5RcNYACgkQluaz8kI6 >>> TRAXCxAAjY0ssYEUm1fVlBxYYmdnsXWyfkHjzupCFMxOMvpeCa1kUcm1ziKy4kMF >>> uBbaU7/LqlUkckWUTAUlo1BrKk5qeZThfNrvcnZgychk74e5RPNUwjGw3Kmz44Vl >>> RaEsApSmZrHwT4SJWdn82OJ8NH8PJA9aBVkOoDFb8yEUcE92PVJQzKoRB4OmoCJO >>> tpRwbG2ptodLxi6DAZMklM18qkY81RxuVhyun7BTr9rVNZHQw5szD13t18ijDP3j >>> QWFS2R0gre/abKrvSZPStE+lnLk0s83lMmELvBj9FT1zOw/WKLwwmvdEoGWGsYSo >>> QDkr+h3KPrAnF8b6rF0Lj9oyQA+ofukv/G0E0iqy+5U2IhMsICPANsOirQr2UPXy >>> kAq+VRwtwu8wQkQBrCdkBBZ8mJuLpnaeQs9OOzWIguMXcMNyq4cJL4Gx9OrGt4kD >>> z4ZMEFbInap+AVoqz+Rf2oEKeue0PQhrC5vTJEJDoQTblcoG+ZVRO0X8j4rsN9lG >>> Hw1TKctpKVAlRkYX/nyatFlgxYkS9AQ8jlNjWXYX9qXVDZmUvwSPqnVnYqDEmV8s >>> L0JscT9xXGyCuYj/o0VRwWoYvrPOc13czGJzysg2z+uOKZKSCfvUfrcOc2jUC9fx >>> 12q+lYv7cDpzD2/n+cOD8b9UJM2Imu/5tVmRgyoNmRvgxkHBRQk= >>> =iAio >>> -----END PGP SIGNATURE----- >>> >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> <mailto:Shorewall-users@lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
