Menu
▾
▴
Re: [Shorewall-users] Reject TCP/IPv6 with Shorewall6
|
From: Tom E. <te...@sh...> - 2012-09-27 01:36:29
|
On 9/26/12 4:46 PM, "Bin Wang" <bin...@gm...> wrote: >Hi Tom, > >Here is the info you asked. > >1. Start shorewall6 > >root@ubuntu:/etc/shorewall6# shorewall6 start >Compiling... >Processing /etc/shorewall6/shorewall6.conf... >Loading Modules... >Compiling /etc/shorewall6/zones... >Compiling /etc/shorewall6/interfaces... >Determining Hosts in Zones... >Locating Action Files... >Compiling /usr/share/shorewall6/action.Drop for chain Drop... >Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... >Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >Compiling /usr/share/shorewall/action.Invalid for chain Invalid... >Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... >Compiling /usr/share/shorewall6/action.Reject for chain Reject... >Compiling /etc/shorewall6/policy... >Compiling TCP Flags filtering... >Compiling MAC Filtration -- Phase 1... >Compiling /etc/shorewall6/rules... >Compiling MAC Filtration -- Phase 2... >Applying Policies... >Generating Rule Matrix... >Creating ip6tables-restore input... >Shorewall configuration compiled to /var/lib/shorewall6/.start >Starting Shorewall6.... >Initializing... >Setting up Traffic Control... >Preparing ip6tables-restore input... >Running /sbin/ip6tables-restore... >IPv6 Forwarding Disabled! >done. > >2. Ping the destination IP, it is OK > >root@ubuntu:/etc/shorewall6# ping6 2001:4998:c:401::c:9101 >PING 2001:4998:c:401::c:9101(2001:4998:c:401::c:9101) 56 data bytes >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=1 ttl=48 time=87.1 ms >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=2 ttl=48 time=86.1 ms >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=3 ttl=48 time=83.9 ms >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=4 ttl=48 time=86.1 ms > >3. Telnet to the HTTP port. The TCP connection timed out eventually. >But I expect the TCP connection refused immediately. > >root@ubuntu:/etc/shorewall6# telnet 2001:4998:c:401::c:9101 80 >Trying 2001:4998:c:401::c:9101... >telnet: Unable to connect to remote host: Connection timed out > >4. The output from "root@ubuntu:/etc/shorewall6# shorewall6 dump -l -x >-m > status.txt" is attached. It appears that REJECT is acting like DROP with your kernel. There is nothing that you can do with your Shorewall configuration to correct this. Is this an official Ubuntu kernel? If so, I would submit a problem report. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. |