Gavin McCullagh wrote:
> I'm running a Debian Sarge machine here with shorewall on it on 2.6.8.
> As it's my home machine I quite commonly connect to it from college over
> ssh,http(s). My brother is away in Lanzarote and trying to connect. But
> he's being refused by the firewall on both ssh and https.
I think I've pretty much understood this now. Many thanks in particular to
Brian Brazil for his help offlist. Sorry for the lateness of the summary,
I've been a little busy.
It seems that at some stage shorewall introduced banning of bogons, that is
ip ranges which have not been assigned and as such nobody should be getting
requests from. They started off by appending the ranges to
/etc/shorewall/rfc1918 so when one got blocked, rfc1918 appeared as the
reason. Just like this:
> # Log of his refusal on ssh
> Feb 4 18:22:59 robin kernel: Shorewall:rfc1918:DROP:IN=ppp0 OUT= MAC=
> SRC=83.39.XX.XXX DST=194.46.XX.XXX LEN=44 TOS=0x10 PREC=0x00 TTL=50
> ID=17763 DF PROTO=TCP SPT=14770 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Since then, the shorewall developers have separated the bogons into it's
own file curiously called bogons. They also moved both of these files to
/usr/share/shorewall/. However, for some reason shorewall continues to
look at /etc/shorewall/rfc1918 .
Unlike rfc1918 permanently reserved addresses, bogons ranges are a somewhat
moving target as unused ranges are returned to IANA and others are
allocated. One of the lines in my /etc/shorewall/rfc1918 file is:
188.8.131.52/8 logdrop # Reserved
which is a former bogons which was since allocated. My brother happened to
be in that ip range.
APT was now upgrading the files in /usr/share/shorewall but ignoring
/etc/shorewall/rfc1918. So I had a stale bogons list. I've moved it out
of the way and all seems good now, though my brother is no longer there to
test it, 'shorewall status' no longer shows a block on the above range.
Thanks to all who read and/or replied,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://mail.linux.ie/pipermail/ilug/attachments/20050215/1112050f/attachment.pgp
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!