[Shorewall-users] Blocking local broadcasts

Drew Alexander Reed D.A.Reed@c-hacker.co.uk
Mon, 29 Apr 2002 13:58:13 +0100 (BST)


Hi

I have a bit of a problem in that all broardcast packets from my firewall
to my local network are being blocked.  This has the affect of causing
samba and thing like zebra(routing deamon) to report constant errors.

The blocking seams to be being done by the common chian which looks like
this:

Chain common (5 references)
 pkts bytes target     prot opt in     out     source
destination
    6   336 icmpdef    icmp --  *      *       0.0.0.0/0
0.0.0.0/0
 1491 68338 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp flags:0x10/0x10
    3  1580 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp flags:0x04/0x04
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0
224.0.0.0/4
    0     0 DROP       all  --  *      *       0.0.0.0/0
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0
192.168.0.255


However the common file only contains
run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p udp --dport 1900        -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP

I can't see where the last 2 entrys as reported by shorewall status are
comming from? or how to stop it blocking the 192.168.0.255 address from the
firewall out to the eth1 interface.

Thanks

-- 
Drew Alexander Reed
http://www.c-hacker.co.uk
ICQ: 47205581