From: Dorian K. <dor...@gm...> - 2011-02-25 16:23:58
|
Hi, I was finally able to capture some packets on the external interface. The following is what happens when I try to establish a http connection to sony.co.jp from the machine 10.0.99.99 inside the 'test' zone (the zone that contains the VLAN). x.x.x.42 is the IP of the external interface, 00:1b:21:72:95:54 its MAC address. 44:58:29:7d:1f:a9 is the MAC address of the gateway. 16:34:36.858495 00:1b:21:72:95:54 (oui Unknown) > 44:58:29:7d:1f:a9 (oui Unknown) ethertype IPv4 (0x0800), length 78: x.x.x.42.61859 > www.sony.co.jp.www: Flags [S], seq 2213552875, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 19668929 ecr 0,sackOK,eol], length 0 16:34:37.162154 44:58:29:7d:1f:a9 (oui Unknown) > 00:1b:21:72:95:54 (oui Unknown) ethertype IPv4 (0x0800), length 74: www.sony.co.jp.www > x.x.x.42.61859: Flags [S.], seq 2687494249, ack 2213552876, win 5792, options [mss 1460,sackOK,TS val 3703720903 ecr 19668929,nop,wscale 2], length 0 16:34:37.162209 00:1b:21:72:95:54 (oui Unknown) > 44:58:29:7d:1f:a9 (oui Unknown) ethertype IPv4 (0x0800), length 74: www.sony.co.jp.www > 10.0.99.99.61859: Flags [S.], seq 2687494249, ack 2213552876, win 5792, options [mss 1460,sackOK,TS val 3703720903 ecr 19668929,nop,wscale 2], length 0 To me it looks like there is something seriously wrong with the NAT process, it appears that the firewall sends out the NATed packet over the wrong interface. The corresponding log entries follow: Feb 25 16:34:36 io kernel: [428013.664722] Shorewall:test2net:ACCEPT:IN=vlan99 OUT=eth-cable SRC=10.0.99.99 DST=202.238.100.193 LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=22135 DF PROTO=TCP SPT=61859 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Feb 25 16:34:37 io kernel: [428014.641743] martian source 202.238.100.193 from x.x.x.42, on dev eth-cable Feb 25 16:34:37 io kernel: [428014.641751] ll header: 00:1b:21:72:95:54:44:58:29:7d:1f:a9:08:00 The way I read the link layer header, the log entry corresponds to packet number 2 above, but the ip source and destination addresses seem to disagree... I really don't get what is going on here and would be very grateful for any help. If required, I will gladly provide more configuration or capture more packets. Thanks and best regards, Dorian On 22.02.2011, at 09:41, Dorian Kind wrote: > Tom, > > many thanks for your help. I will do as you suggested and try to capture > some packets on the external interfaces to gather more information. > > Best regards, > Dorian > > On 21.02.2011, at 22:27, Tom Eastep wrote: > >> On 2/21/11 10:38 AM, Tom Eastep wrote: >>> On 2/21/11 7:39 AM, Dorian Kind wrote: >>>> Yes, from the 'loc' zone's point of view, everything still works as before. >>>> >>> >>> Given that the defintions of the loc and net zones are almost identical, >>> the natural suspicion is that there is a configuration problem with the >>> VLAN. What is the configuration of the physical LAN(s) around the >>> Shorewall box? >>> >> >> You might add the 'routefilter' and 'logmartians' settings to the vlan99 >> interface; that might give us another clue. >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> ------------------------------------------------------------------------------ >> Index, Search & Analyze Logs and other IT data in Real-Time with Splunk >> Collect, index and harness all the fast moving IT data generated by your >> applications, servers and devices whether physical, virtual or in the cloud. >> Deliver compliance at lower cost and gain new business insights. >> Free Software Download: http://p.sf.net/sfu/splunk-dev2dev_______________________________________________ >> Shorewall-users mailing list >> Sho...@li... >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > |