Re: [Shorewall-users] INPUT:REJECT on High Availability real server

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Keith Edmunds wrote:
>> Please either send us a copy of the log messages
> 
> Apologies, I hadn't realised that LOGFILE was set incorrectly. Here's
> an example entry:
> 
> Jan 15 16:45:10 web2 kernel: Shorewall:INPUT:REJECT:IN=bond0 OUT=
> MAC=00:30:48:67:2a:3e:00:30:48:67:25:44:08:00 SRC=87.243.200.155
> DST=10.0.0.22 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=1565 DF PROTO=TCP
> SPT=45228 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

This packet arrived on bond0 with a source IP address of 87.243.200.155.
bond0 is associated with the 'loc' zone but only for IP addresses
10.0.0.0/24. So this packet came into the firewall on bond0 but was not
from the loc zone. Since 'loc' is the only zone defined on bond0, the
packet fell out of the bond0_in chain and was dropped in the INPUT chain.