From: Tom E. <te...@sh...> - 2006-11-17 16:23:48
|
Ow Mun Heng wrote: > On Thu, 2006-11-16 at 16:55 -0800, Tom Eastep wrote: >> Tom Eastep wrote: >>> Ow Mun Heng wrote: >>> >>>> 2 0.0.0.0/0 0.0.0.0/0 tcp 22,873 >>>> 2 0.0.0.0/0 0.0.0.0/0 tcp 22,873 >>>> 2 $FW 0.0.0.0/0 tcp - 22,873 >>>> 2 $FW 0.0.0.0/0 tcp - 22,873 >>>> 3 $FW 0.0.0.0/0 tcp 80,443 >>>> 3 $FW 0.0.0.0/0 tcp - 80,443 >>>> RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 >>>> CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 >>> The marks you are assigning in the first 4 rules (why you have >>> duplicated rule, I have no clue) cause the CONTINUE rule to be taken.= >> I should note that if the rsync is occurring to/from the firewall then= >> the packets are not processed by the CONTINUE rule which only deals wi= th >> forwarded traffic. >> >> So only packets marked by the first two rules match the CONTINUE. >=20 > Tom, I really appreciate all the help, but I'm seriously wondering > what's happening. >=20 > I've stripped out all the tcrules and leaving only this one Simple Rule= >=20 > 3 192.168.10.100/32 0.0.0.0/0 tcp 22,873 >=20 > tcdevices > eth1 500kbit 250kbit # FW Lan facing > interface >=20 > I then initiated an scp transfer from the firewall to my laptop > (192.168.10.100) > I then grepped the connection. >=20 > $shorewall show connections | grep src=3D192.168.10.2 > tcp 6 431999 ESTABLISHED src=3D192.168.10.2 dst=3D192.168.10.100 > sport=3D37309 dport=3D22 packets=3D10298 bytes=3D14682124=20 > src=3D192.168.10.100 dst=3D192.168.10.2 sport=3D22 dport=3D37309 packet= s=3D5411 > bytes=3D295808 [ASSURED] mark=3D0 use=3D91 >=20 > The mark is still at mark=3D0 I sure wish that you would read http://www.shorewall.net/PacketMarking.ht= ml carefully. a) Your tcrule *does not mark traffic from applications running on your firewall*. I don't know how I can make that any clearer. The only kind of= rule that deals with those packets is a rule that has $FW in the SOURCE column= =2E I didn't design it this way -- I'm simply following the model that Netfilte= r provides me; it handles OUTPUT and FORWARD traffic separately and with di= fferent restrictions about what the rules may look like. b) Even if you get the rule right, "shorewall show connections" is *not g= oing to show you packet marks* which is what your rule is setting. It displays th= e *connection mark* (Hint: It's showing you *connections*, not *packets*). -Tom --=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |