From: James N. <JN...@sp...> - 2003-02-28 10:47:19
|
Thanks Tom, > a) Be sure that you have set the 'dhcp' option for your external interface > in /etc/shorewall/interfaces. > b) Because your ISP is using RFC 1918 addresses within its infrastructure, > you need to review Shorewall FAQ #14a > (http://www.shorewall.net/FAQ.htm#faq14a). Yes, etc/shorewall/interfaces has dhcp on for the external interface. I was getting these in my log when I performed a trace route Feb 27 19:17:42 firewall kernel: Shorewall:rfc1918:DROP:IN=3Deth0 = OUT=3Deth1 SRC=3D10.75.48.1 DST=3D192.168.1.1 LEN=3D56 TOS=3D0x00 PREC=3D0xC0 = TTL=3D254 ID=3D3903 PROTO=3DICMP TYPE=3D11 CODE=3D0 [SRC=3D81.102.124.19 = DST=3D212.58.224.114 LEN=3D92 TOS=3D0x00 PREC=3D0x00 TTL=3D1 ID=3D63517 PROTO=3DICMP TYPE=3D8 CODE=3D0 = ID=3D512 SEQ=3D41728 ]=20 And these stopped when I added the UBRs IP to /etc/shorewall/rfc1918 I'll find out soon whether this makes any difference to DHCP renewal, but apparently not blocking the UBR is very important. A few questions about that log entry if I may? According to the weblet, sorting the denied packets by IP address lists all these packets as caused by '81.102.124.19', which is my external IP on eth0. Can somebody explain why? "SRC=3D10.75.48.1 DST=3D192.168.1.1" DST is the local IP for my WinXP box, how come SRC is trying to send it packets? I don't know whether the UBR has a static IP, but I do know the ranges it will always be in (10.xxx.xxx.1 or 172.xx.xxx.254). If it turns out to be dynamic, is it possible to put those ranges instead of a static IP in to /etc/shorewall/rfc1918? Thanks, Jim. |