[Shorewall-users] hopeless - smb over bridgedfirewall

Florian Didszun florian at didszun.de
Mon Sep 27 13:09:55 PDT 2004


Hi,

i restarted my System with disabled shorewall and without any netfilter modules.

And it doesn´t work. Your assumption was right. When i ssh on the machine and i do 
a ps aux, than it freeze. 

I use mtu 1500. HAve you any ideas??

cheers

Florian



-----Ursprüngliche Nachricht-----
Von: shorewall-users-bounces at lists.shorewall.net
[mailto:shorewall-users-bounces at lists.shorewall.net]Im Auftrag von Axel
Westerhold
Gesendet: Montag, 27. September 2004 19:15
An: Mailing List for Shorewall Users
Betreff: Re: [Shorewall-users] hopeless - smb over bridgedfirewall


I apologize for the SPAM Tag in the Subject. I simply forgot to remove 
it and had no time to find out why it actually is set for this kind of 
mails.

Axel Westerhold
Technical Lead
Congos Inc.
Axel at congos-tools.com
Tel.: 0049 5732 688040



Axel Westerhold wrote:
> Mmmh, if you SSH and do a ps -aux  or a long ls -lah or something
> similar, does it still work or does it freeze too ?
> 
> I am asking because I ran into a few MTU size issues lately which always
> resulted in tunnels coming up and most basic stuff like simple SSH or
> telnet working fine but with a bigger amount of data it started freezing
> without any hint in any firewall or VPN log.
> 
> 
> Axel Westerhold
> Technical Lead
> Congos Inc.
> Axel at congos-tools.com
> Tel.: 0049 5732 688040
> 
> 
> 
> Florian Didszun wrote:
>  > Hi,
>  >
>  > i?m desperated.
>  >
>  > I?ve changed a lot and nothing works. I?ve changed in the interfaces file
>  > the global device (- br0 options) to a single device to loc br0 options.
>  >
>  > In the hosts file, i made no settings.
>  >
>  > rules:
>  > AllowSSH        net     fw
>  > AllowSSH        loc     fw
>  > AllowSSH        fw      loc
>  > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>  >
>  > policy:
>  > fw              net             ACCEPT
>  > fw              loc             ACCEPT
>  > loc             net             ACCEPT
>  > loc             fw              ACCEPT
>  > net             all             DROP            ULOG
>  > #
>  > # THE FOLLOWING POLICY MUST BE LAST
>  > #
>  > all             all             REJECT          ULOG
>  >
>  > So what is wrong. I hope anybody can help.
>  >
>  > Regards
>  >
>  > Florian
>  >
>  >
>  > -----Ursprungliche Nachricht-----
>  > Von: shorewall-users-bounces at lists.shorewall.net
>  > [mailto:shorewall-users-bounces at lists.shorewall.net]Im Auftrag von
>  > Eduardo Ferreira
>  > Gesendet: Freitag, 24. September 2004 15:04
>  > An: Mailing List for Shorewall Users
>  > Betreff: Re: [Shorewall-users] hopeless - smb over bridged firewall
>  >
>  >
>  > Florian wrote on 24/09/2004 08:47:43:
>  >
>  >  > I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL 
> connection
>  >  > to the Internet (ppp0 - eth1 to the modem) and a bridge to the local
>  >  > lan. The bridged config i've made with bridge.html from the shorewall
>  >  > site. The Bridge is between local net and a openvpn tap device. This
>  >  > works. I ccan make tunnels, and a can make a lot of things through the
>  >  > firewall. I can get a list of shares on a samba server in the net, 
> i can
>  >  > make ftp connection, i can make ssh connections. But when i want to
>  >  > connect on a samba share (smbclient //IP/share) or when i mount the
>  >  > share as a network device in windows, and want a listing of all 
> files, i
>  >  > get a timeout. There are no Rejects or Drops or what evere. I 
> tested an
>  >  > read a lot but i don't find the error. I hope so that anybody has 
> aidea
>  >  > for this problem.
>  >  >
>  > There is something wrong here.  Let's navigate from FORWARD chain on:
>  > Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  >  pkts bytes target     prot opt in     out     source destination
>  >   152 21948 br0_fwd    all  --  br0    *       0.0.0.0/0 0.0.0.0/0
>  >
>  > packets coming from the bridge enter this chain (br0_fwd):
>  > Chain br0_fwd (1 references)
>  >  pkts bytes target     prot opt in     out     source destination
>  >    89 17880 all2all    all  --  *      br0     0.0.0.0/0 0.0.0.0/0
>  > PHYSDEV match --physdev-in eth0 --physdev-out tap0
>  >
>  > hummm... a packet coming from br0 to br0 (via eth0 to tap0) goes to
>  > all2all chain. that's not good:
>  > Chain all2all (2 references)
>  >  pkts bytes target     prot opt in     out     source destination
>  >    35  5296 Reject     all  --  *      *       0.0.0.0/0 0.0.0.0/0
>  >
>  > because they must be tested against chain Reject:
>  > Chain Reject (5 references)
>  >  pkts bytes target     prot opt in     out     source destination
>  >     9  2064 RejectSMB  all  --  *      *       0.0.0.0/0 0.0.0.0/0
>  >
>  > where they are sent to RejectSMB, where they are silently rejected:
>  > Chain RejectSMB (1 references)
>  >  pkts bytes target     prot opt in     out     source destination
>  >     0     0 reject     udp  --  *      *       0.0.0.0/0 0.0.0.0/0   udp
>  > dpt:135
>  >     8  2004 reject     udp  --  *      *       0.0.0.0/0 0.0.0.0/0   udp
>  > dpts:137:139
>  >     0     0 reject     udp  --  *      *       0.0.0.0/0 0.0.0.0/0   udp
>  > dpt:445
>  >     0     0 reject     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0   tcp
>  > dpt:135
>  >     0     0 reject     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0   tcp
>  > dpt:139
>  >     0     0 reject     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0   tcp
>  > dpt:445
>  >
>  > look up your policy and rules file.  something wrong there.
>  >
>  > hope it helps,
>  >
>  >  > Regards.
>  >  >
>  >  > Florian
>  >  > [attachment "status.txt" deleted by Eduardo Ferreira/ICATU]
>  >  > _______________________________________________
>  >  > Shorewall-users mailing list
>  >  > Post: Shorewall-users at lists.shorewall.net
>  >  > Subscribe/Unsubscribe: https://lists.shorewall.
>  >  > net/mailman/listinfo/shorewall-users
>  >  > Support: http://www.shorewall.net/support.htm
>  >  > FAQ: http://www.shorewall.net/FAQ.htm
>  > _______________________________________________
>  > Shorewall-users mailing list
>  > Post: Shorewall-users at lists.shorewall.net
>  > Subscribe/Unsubscribe:
>  > https://lists.shorewall.net/mailman/listinfo/shorewall-users
>  > Support: http://www.shorewall.net/support.htm
>  > FAQ: http://www.shorewall.net/FAQ.htm
>  >
>  >
>  > ------------------------------------------------------------------------
>  >
>  > Shorewall-2.0.8 Status at blaster - Sat Sep 25 23:12:42 CEST 2004
>  >
>  > Counters reset Sat Sep 25 23:11:21 CEST 2004
>  >
>  > Chain INPUT (policy DROP 0 packets, 0 bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 DROP      !icmp --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID
>  >   128 13152 ppp0_in    all  --  ppp0   *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     2   351 br0_in     all  --  br0    *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 Reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 ULOG       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=INPUT:1 
> a=REJECT ' queue_threshold 1
>  >     0     0 reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP      !icmp --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID
>  >     0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            
> 0.0.0.0/0          
>  >    43 14875 br0_fwd    all  --  br0    *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 Reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 ULOG       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=FORWARD:1 
> a=REJECT ' queue_threshold 1
>  >     0     0 reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 DROP      !icmp --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID
>  >     0     0 ACCEPT     udp  --  *      br0     0.0.0.0/0            
> 0.0.0.0/0           udp dpts:67:68
>  >   194 28020 fw2net     all  --  *      ppp0    0.0.0.0/0            
> 0.0.0.0/0          
>  >     1    90 fw2loc     all  --  *      br0     0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 Reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 ULOG       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=OUTPUT:1 
> a=REJECT ' queue_threshold 1
>  >     0     0 reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain AllowSSH (3 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:22
>  >
>  > Chain Drop (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     3   144 RejectAuth  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     3   144 dropBcast  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     3   144 dropInvalid  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     3   144 DropSMB    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 DropUPnP   all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 dropNotSyn  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 DropDNSrep  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain DropDNSrep (2 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp spt:53
>  >
>  > Chain DropSMB (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpt:135
>  >     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:137:139
>  >     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpt:445
>  >     0     0 DROP       tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:135
>  >     0     0 DROP       tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:139
>  >     3   144 DROP       tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:445
>  >
>  > Chain DropUPnP (2 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP       udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpt:1900
>  >
>  > Chain Reject (4 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 RejectAuth  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 dropBcast  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 dropInvalid  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 RejectSMB  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 DropUPnP   all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 dropNotSyn  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 DropDNSrep  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain RejectAuth (2 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 reject     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:113
>  >
>  > Chain RejectSMB (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 reject     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpt:135
>  >     0     0 reject     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:137:139
>  >     0     0 reject     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpt:445
>  >     0     0 reject     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:135
>  >     0     0 reject     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:139
>  >     0     0 reject     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:445
>  >
>  > Chain all2all (0 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  >     0     0 Reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 ULOG       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=all2all:1 
> a=REJECT ' queue_threshold 1
>  >     0     0 reject     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain br0_fwd (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     5   495 dynamic    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID,NEW
>  >     5   240 loc2net    all  --  *      ppp0    0.0.0.0/0            
> 0.0.0.0/0          
>  >    38 14635 ACCEPT     all  --  *      br0     0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain br0_in (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     2   351 dynamic    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID,NEW
>  >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           udp dpts:67:68
>  >     2   351 loc2fw     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain dropBcast (2 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           PKTTYPE = broadcast
>  >     0     0 DROP       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           PKTTYPE = multicast
>  >
>  > Chain dropInvalid (2 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID
>  >
>  > Chain dropNotSyn (2 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP       tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp flags:!0x16/0x02
>  >
>  > Chain dynamic (4 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain fw2loc (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  >     1    90 AllowSSH   all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     1    90 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain fw2net (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >   194 28020 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
> 213.54.197.136      udp spt:7777 dpt:7777
>  >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain icmpdef (0 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain loc2fw (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  >     2   351 AllowSSH   all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     2   351 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain loc2net (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     5   240 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain net2all (2 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  >     3   144 Drop       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     0     0 ULOG       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=net2all:1 
> a=DROP ' queue_threshold 1
>  >     0     0 DROP       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain net2fw (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >   125 13008 ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED
>  >     0     0 ACCEPT     udp  --  *      *       213.54.197.136       
> 0.0.0.0/0           udp spt:7777 dpt:7777
>  >     3   144 AllowSSH   all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >     3   144 net2all    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain ppp0_fwd (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 dynamic    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID,NEW
>  >     0     0 net2all    all  --  *      br0     0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain ppp0_in (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     3   144 dynamic    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID,NEW
>  >   128 13152 net2fw     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain reject (11 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 DROP       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           PKTTYPE = broadcast
>  >     0     0 DROP       all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           PKTTYPE = multicast
>  >     0     0 DROP       all  --  *      *       192.168.11.255       
> 0.0.0.0/0          
>  >     0     0 DROP       all  --  *      *       255.255.255.255      
> 0.0.0.0/0          
>  >     0     0 DROP       all  --  *      *       224.0.0.0/4          
> 0.0.0.0/0          
>  >     0     0 REJECT     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           reject-with tcp-reset
>  >     0     0 REJECT     udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           reject-with icmp-port-unreachable
>  >     0     0 REJECT     icmp --  *      *       0.0.0.0/0            
> 0.0.0.0/0           reject-with icmp-host-unreachable
>  >     0     0 REJECT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           reject-with icmp-host-prohibited
>  >
>  > Chain shorewall (0 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain smurfs (0 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ULOG       all  --  *      *       192.168.11.255       
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:1 
> a=DROP ' queue_threshold 1
>  >     0     0 DROP       all  --  *      *       192.168.11.255       
> 0.0.0.0/0          
>  >     0     0 ULOG       all  --  *      *       255.255.255.255      
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:2 
> a=DROP ' queue_threshold 1
>  >     0     0 DROP       all  --  *      *       255.255.255.255      
> 0.0.0.0/0          
>  >     0     0 ULOG       all  --  *      *       224.0.0.0/4          
> 0.0.0.0/0           ULOG copy_range 0 nlgroup 1 prefix `fp=smurfs:3 
> a=DROP ' queue_threshold 1
>  >     0     0 DROP       all  --  *      *       224.0.0.0/4          
> 0.0.0.0/0          
>  >
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=67.180.168.30 
> DST=212.202.210.90 LEN=404 TOS=00 PREC=0x00 TTL=113 ID=64773 CE 
> PROTO=UDP SPT=4230 DPT=1434 LEN=384
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31714 DF PROTO=TCP 
> SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31715 DF PROTO=TCP 
> SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31716 DF PROTO=TCP 
> SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=31717 DF PROTO=TCP 
> SPT=4521 DPT=4662 SEQ=298586315 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=192.108.116.47 
> DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=41 ID=28871 DF PROTO=TCP 
> SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=192.108.116.47 
> DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28873 DF PROTO=TCP 
> SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=192.108.116.47 
> DST=212.202.210.90 LEN=48 TOS=00 PREC=0x00 TTL=40 ID=28874 DF PROTO=TCP 
> SPT=2898 DPT=23 SEQ=2534953758 ACK=0 WINDOW=32768 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61896 CE DF 
> PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61897 CE DF 
> PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61898 CE DF 
> PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=61899 CE DF 
> PROTO=TCP SPT=1240 DPT=4662 SEQ=774243448 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57824 CE DF 
> PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57825 CE DF 
> PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57826 CE DF 
> PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=57827 CE DF 
> PROTO=TCP SPT=2422 DPT=4662 SEQ=1866030927 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21140 DF PROTO=TCP 
> SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21141 DF PROTO=TCP 
> SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21142 DF PROTO=TCP 
> SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0
>  > Jan  1 01:00:00 net2all:1 a=DROP  IN=ppp0 OUT= SRC=80.138.163.144 
> DST=212.202.210.90 LEN=60 TOS=00 PREC=0x00 TTL=58 ID=21143 DF PROTO=TCP 
> SPT=4820 DPT=4662 SEQ=685272762 ACK=0 WINDOW=5808 SYN URGP=0
>  >
>  > NAT Table
>  >
>  > Chain PREROUTING (policy ACCEPT 287K packets, 17M bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain POSTROUTING (policy ACCEPT 115K packets, 9065K bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain OUTPUT (policy ACCEPT 105K packets, 7230K bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain ppp0_masq (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 MASQUERADE  all  --  *      *       192.168.11.0/24      
> 0.0.0.0/0          
>  >
>  > Mangle Table
>  >
>  > Chain PREROUTING (policy ACCEPT 2612K packets, 1089M bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >   174 28299 pretos     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain INPUT (policy ACCEPT 2471K packets, 991M bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain FORWARD (policy ACCEPT 161K packets, 101M bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain OUTPUT (policy ACCEPT 2546K packets, 995M bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >   198 28282 outtos     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0          
>  >
>  > Chain POSTROUTING (policy ACCEPT 2709K packets, 1096M bytes)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >
>  > Chain outtos (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:22 TOS set 0x10
>  >   133  8056 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp spt:22 TOS set 0x10
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:21 TOS set 0x10
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp spt:21 TOS set 0x10
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp spt:20 TOS set 0x08
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:20 TOS set 0x08
>  >
>  > Chain pretos (1 references)
>  >  pkts bytes target     prot opt in     out     source               
> destination        
>  >   101  9240 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:22 TOS set 0x10
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp spt:22 TOS set 0x10
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:21 TOS set 0x10
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp spt:21 TOS set 0x10
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp spt:20 TOS set 0x08
>  >     0     0 TOS        tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:20 TOS set 0x08
>  >
>  > tcp      6 431591 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 
> sport=33029 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 
> dport=33029 [ASSURED] use=1
>  > tcp      6 16 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 
> sport=3196 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 
> dport=3196 [ASSURED] use=1
>  > tcp      6 264747 ESTABLISHED src=192.168.11.11 dst=192.168.11.62 
> sport=139 dport=1032 [UNREPLIED] src=192.168.11.62 dst=192.168.11.11 
> sport=1032 dport=139 use=1
>  > tcp      6 9 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 
> sport=3194 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 
> dport=3194 [ASSURED] use=1
>  > udp      17 178 src=212.202.210.90 dst=213.54.197.136 sport=7777 
> dport=7777 src=213.54.197.136 dst=212.202.210.90 sport=7777 dport=7777 
> [ASSURED] use=1
>  > udp      17 23 src=192.168.11.11 dst=192.168.11.1 sport=32868 
> dport=53 src=192.168.11.1 dst=192.168.11.11 sport=53 dport=32868 
> [ASSURED] use=1
>  > udp      17 91 src=192.168.11.1 dst=192.168.11.1 sport=1345 dport=53 
> src=192.168.11.1 dst=192.168.11.1 sport=53 dport=1345 [ASSURED] use=1
>  > tcp      6 30 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 
> sport=3200 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 
> dport=3200 [ASSURED] use=1
>  > tcp      6 20 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 
> sport=3197 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 
> dport=3197 [ASSURED] use=1
>  > tcp      6 431998 ESTABLISHED src=213.54.197.136 dst=212.202.210.90 
> sport=34561 dport=22 src=212.202.210.90 dst=213.54.197.136 sport=22 
> dport=34561 [ASSURED] use=1
>  > unknown  2 195 src=192.168.11.150 dst=224.0.0.22 [UNREPLIED] 
> src=224.0.0.22 dst=192.168.11.150 use=1
>  > tcp      6 431983 ESTABLISHED src=192.168.11.150 dst=192.168.11.11 
> sport=3305 dport=139 src=192.168.11.11 dst=192.168.11.150 sport=139 
> dport=3305 [ASSURED] use=1
>  > tcp      6 54 SYN_RECV src=192.168.1.30 dst=192.168.11.11 sport=3306 
> dport=139 src=192.168.11.11 dst=192.168.1.30 sport=139 dport=3306 use=1
>  > tcp      6 23 TIME_WAIT src=212.202.210.90 dst=217.160.223.13 
> sport=3198 dport=995 src=217.160.223.13 dst=212.202.210.90 sport=995 
> dport=3198 [ASSURED] use=1
>  >
>  > IP Configuration
>  >
>  > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>  >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>  >     inet 127.0.0.1/8 scope host lo
>  >     inet6 ::1/128 scope host
>  >        valid_lft forever preferred_lft forever
>  > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
> qlen 1000
>  >     link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff
>  >     inet6 fe80::201:2ff:fe10:773a/64 scope link
>  >        valid_lft forever preferred_lft forever
>  > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>  >     link/ether 00:50:ba:c9:be:76 brd ff:ff:ff:ff:ff:ff
>  >     inet6 fe80::250:baff:fec9:be76/64 scope link
>  >        valid_lft forever preferred_lft forever
>  > 4: sit0: <NOARP> mtu 1480 qdisc noop
>  >     link/sit 0.0.0.0 brd 0.0.0.0
>  > 6: tap0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
> qlen 1000
>  >     link/ether 00:ff:a6:07:65:f7 brd ff:ff:ff:ff:ff:ff
>  >     inet6 fe80::2ff:a6ff:fe07:65f7/64 scope link
>  >        valid_lft forever preferred_lft forever
>  > 7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
>  >     link/ether 00:01:02:10:77:3a brd ff:ff:ff:ff:ff:ff
>  >     inet 192.168.11.1/24 brd 192.168.11.255 scope global br0
>  >     inet6 fe80::201:2ff:fe10:773a/64 scope link
>  >        valid_lft forever preferred_lft forever
>  > 11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast 
> qlen 3
>  >     link/ppp
>  >     inet 212.202.210.90 peer 213.148.128.18/32 scope global ppp0
>  >
>  > Routing Rules
>  >
>  > 0:    from all lookup local
>  > 32766:        from all lookup main
>  > 32767:        from all lookup default
>  >
>  > Table local:
>  >
>  > broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
>  > local 192.168.11.1 dev br0  proto kernel  scope host  src 192.168.11.1
>  > broadcast 192.168.11.0 dev br0  proto kernel  scope link  src 
> 192.168.11.1
>  > broadcast 192.168.11.255 dev br0  proto kernel  scope link  src 
> 192.168.11.1
>  > local 212.202.210.90 dev ppp0  proto kernel  scope host  src 
> 212.202.210.90
>  > broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
>  > local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
>  > local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
>  >
>  > Table main:
>  >
>  > 213.148.128.18 dev ppp0  proto kernel  scope link  src 212.202.210.90
>  > 192.168.11.0/24 dev br0  proto kernel  scope link  src 192.168.11.1
>  > default via 213.148.128.18 dev ppp0
>  >
>  > Table default:
>  >
>  >
>  >
>  > ------------------------------------------------------------------------
>  >
>  > _______________________________________________
>  > Shorewall-users mailing list
>  > Post: Shorewall-users at lists.shorewall.net
>  > Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>  > Support: http://www.shorewall.net/support.htm
>  > FAQ: http://www.shorewall.net/FAQ.htm
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm




More information about the Shorewall-users mailing list