LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Re: odd shorewall behaviour

[ILUG] Re: odd shorewall behaviour

Gavin McCullagh ilug_gmc at fiachra.ucd.ie
Tue Feb 15 11:33:03 GMT 2005 

Hi,

Gavin McCullagh wrote: 

> I'm running a Debian Sarge machine here with shorewall on it on 2.6.8.
> As it's my home machine I quite commonly connect to it from college over
> ssh,http(s).  My brother is away in Lanzarote and trying to connect.  But
> he's being refused by the firewall on both ssh and https.

I think I've pretty much understood this now.  Many thanks in particular to
Brian Brazil for his help offlist.  Sorry for the lateness of the summary,
I've been a little busy.

It seems that at some stage shorewall introduced banning of bogons, that is
ip ranges which have not been assigned and as such nobody should be getting
requests from.  They started off by appending the ranges to
/etc/shorewall/rfc1918 so when one got blocked, rfc1918 appeared as the
reason.  Just like this:

> # Log of his refusal on ssh
> Feb  4 18:22:59 robin kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT= MAC=
> SRC=83.39.XX.XXX DST=194.46.XX.XXX LEN=44 TOS=0x10 PREC=0x00 TTL=50
> ID=17763 DF PROTO=TCP SPT=14770 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

Since then, the shorewall developers have separated the bogons into it's
own file curiously called bogons.  They also moved both of these files to
/usr/share/shorewall/.  However, for some reason shorewall continues to
look at /etc/shorewall/rfc1918 .

Unlike rfc1918 permanently reserved addresses, bogons ranges are a somewhat
moving target as unused ranges are returned to IANA and others are
allocated.  One of the lines in my /etc/shorewall/rfc1918 file is:

83.0.0.0/8      logdrop     # Reserved

which is a former bogons which was since allocated.  My brother happened to
be in that ip range.

APT was now upgrading the files in /usr/share/shorewall but ignoring
/etc/shorewall/rfc1918.  So I had a stale bogons list.  I've moved it out
of the way and all seems good now, though my brother is no longer there to
test it, 'shorewall status' no longer shows a block on the above range.

Thanks to all who read and/or replied,
Gavin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.linux.ie/pipermail/ilug/attachments/20050215/1112050f/attachment.pgp

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell