mc5686
22 June 2023 18:33
1
I am having routing problems with my simple setup:
RED (192.168.1.9)
ORANGE (192.168.9.9)
a NginX-based web server (currently HTTP-only)
GREEN (192.168.7.9)
cinderella, my workstation (192.169.7.12)
I activated port redirection like this:
Here I see the first strange thing: ORANGE → GREEN is “blocked”, but I’m unsure about real significance.http://192.168.7.9 from cinderella(192.168.7.12) results in no log at all and trying to access directly http://192.168.9.8 results in:
Jun 22 20:29:21 ipfire kernel: FORWARDFW IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41425 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Jun 22 20:29:21 ipfire kernel: FORWARDFW IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45203 DF PROTO=TCP SPT=58454 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Jun 22 20:29:21 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=41426 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:21 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41427 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0
Jun 22 20:29:21 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45204 DF PROTO=TCP SPT=58454 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:21 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41428 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0
Jun 22 20:29:21 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41429 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0
Jun 22 20:29:22 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41430 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0
Jun 22 20:29:22 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45205 DF PROTO=TCP SPT=58454 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:22 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=41431 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:22 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41432 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0
Jun 22 20:29:24 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=41433 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:24 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45206 DF PROTO=TCP SPT=58454 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:24 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41434 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0
Jun 22 20:29:27 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41435 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH URGP=0
Jun 22 20:29:28 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=41436 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Jun 22 20:29:28 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45207 DF PROTO=TCP SPT=58454 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:28 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=41437 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:34 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=477 TOS=0x00 PREC=0x00 TTL=63 ID=41438 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0
Jun 22 20:29:36 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=41439 DF PROTO=TCP SPT=58438 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 22 20:29:36 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45208 DF PROTO=TCP SPT=58454 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
What should I check?
I’m using group for green and blue, you need to set who can access the device at orange.
In your case, you will choose TCP and the port 80 and 80.
Try this:
BR
mc5686
22 June 2023 20:12
3
Thanks @trash-trash ,
I suspect I’m missing some setup somewhere
else .
Can you divine what?
You need to take out the NAT, you had activated.
BR
mc5686
22 June 2023 21:01
5
Thanks @trash-trash this tutorial since I need to be able to access webserver(192.168.9.8) from both GREEN and RED.
Yes, I’m Mauro Condarelli, proud owner of (pretty much unused) domain condarelli.it
I have a fixed, routable IP address I can use to reach my modem; plan is to forward all ports from modem at 192.168.1.1 to IPFire(192.168.1.9) and from there send them where needed (e.g.: webserver).
I understood I should be able to access hosts on ORANGE from GREEN without special setup, while I need DNAT to access ORANGE from RED.
Am I missing something?
Any hint welcome.
OK that is fine.
I have an old IPFire installation for my tests.
For eth red:
For eth red, to reach an device:
BR
jon
22 June 2023 23:04
7
mc5686
22 June 2023 23:07
8
I am about to leave now.
A few questions:
Can someone confirm that without any specific Firewall rule (all defaults) I should be able to access from GREEN a host on ORANGE?
Can someone confirm connections from RED (if not explicitly handled) will be DROPped?
Can someone confirm I need to redirect specific ports (e.g.: 80) from RED to ORANGE using something like:
in this condition, when attempting to access from outside (5.168.62.88) I see:
Jun 23 00:52:03 ipfire kernel: DNAT IN=red0 OUT= MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=245 ID=53192 DF PROTO=TCP SPT=26534 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:03 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=53192 DF PROTO=TCP SPT=26534 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:03 ipfire kernel: DNAT IN=red0 OUT= MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=245 ID=21139 DF PROTO=TCP SPT=26443 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:03 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=21139 DF PROTO=TCP SPT=26443 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:04 ipfire kernel: DNAT IN=red0 OUT= MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=245 ID=57339 DF PROTO=TCP SPT=26302 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:04 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57339 DF PROTO=TCP SPT=26302 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:04 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=53196 DF PROTO=TCP SPT=26534 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:04 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=21140 DF PROTO=TCP SPT=26443 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:05 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57352 DF PROTO=TCP SPT=26302 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:06 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=53200 DF PROTO=TCP SPT=26534 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:06 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=21142 DF PROTO=TCP SPT=26443 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:07 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57367 DF PROTO=TCP SPT=26302 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:10 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=53207 DF PROTO=TCP SPT=26534 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:10 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=21146 DF PROTO=TCP SPT=26443 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:11 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57389 DF PROTO=TCP SPT=26302 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:36 ipfire kernel: DNAT IN=red0 OUT= MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=245 ID=44663 DF PROTO=TCP SPT=26507 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:36 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=44663 DF PROTO=TCP SPT=26507 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:36 ipfire kernel: DNAT IN=red0 OUT= MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=245 ID=24182 DF PROTO=TCP SPT=26854 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:36 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=24182 DF PROTO=TCP SPT=26854 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:36 ipfire kernel: DNAT IN=red0 OUT= MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.1.9 LEN=52 TOS=0x00 PREC=0x00 TTL=245 ID=57282 DF PROTO=TCP SPT=26825 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:36 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57282 DF PROTO=TCP SPT=26825 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:37 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=44664 DF PROTO=TCP SPT=26507 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:37 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=24183 DF PROTO=TCP SPT=26854 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:37 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57283 DF PROTO=TCP SPT=26825 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:39 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=44666 DF PROTO=TCP SPT=26507 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:39 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=24189 DF PROTO=TCP SPT=26854 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:39 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57286 DF PROTO=TCP SPT=26825 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:43 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=44669 DF PROTO=TCP SPT=26507 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:43 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=24198 DF PROTO=TCP SPT=26854 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
Jun 23 00:52:43 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:16:3e:73:3b:3e:04:20:84:03:e8:ec:08:00 SRC=5.168.62.88 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=244 ID=57288 DF PROTO=TCP SPT=26825 DPT=80 WINDOW=14000 RES=0x00 SYN URGP=0
while a direct telnet 192.168.9.8 80 prints:
Jun 23 00:58:00 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36301 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 23 00:58:01 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36302 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 23 00:58:03 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36303 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 23 00:58:07 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36304 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 23 00:58:12 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36305 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Jun 23 00:58:13 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36306 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Jun 23 00:58:13 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36307 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Jun 23 00:58:13 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36308 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Jun 23 00:58:14 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36309 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Jun 23 00:58:15 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36310 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK URGP=0
Jun 23 00:58:16 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36311 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Jun 23 00:58:19 ipfire kernel: DROP_CTINVALID IN=green0 OUT=orange0 MAC=00:16:3e:9e:f9:83:e0:d5:5e:a0:21:0f:08:00 SRC=192.168.7.12 DST=192.168.9.8 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=36312 DF PROTO=TCP SPT=45856 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0
Notice that ping and traceroute work as expected:
mcon@cinderella:~$ ping -n -c 4 192.168.9.8
PING 192.168.9.8 (192.168.9.8) 56(84) bytes of data.
64 bytes from 192.168.9.8: icmp_seq=1 ttl=63 time=1.85 ms
64 bytes from 192.168.9.8: icmp_seq=2 ttl=63 time=1.63 ms
64 bytes from 192.168.9.8: icmp_seq=3 ttl=63 time=1.66 ms
64 bytes from 192.168.9.8: icmp_seq=4 ttl=63 time=1.65 ms
--- 192.168.9.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.632/1.699/1.851/0.088 ms
mcon@cinderella:~$ traceroute -n 192.168.9.8
traceroute to 192.168.9.8 (192.168.9.8), 30 hops max, 60 byte packets
1 192.168.7.9 1.657 ms 1.540 ms 1.549 ms
2 192.168.9.8 2.152 ms 2.088 ms 2.134 ms
Can someone help?
jon
22 June 2023 23:13
9
This one may help:https://wiki.ipfire.org/configuration/firewall/default-policy#default-firewall-behaviour
This one may help:https://wiki.ipfire.org/configuration/firewall/options#log-dropped-packets-classified-as-invalid-by-connection-tracking
And this one will help:
Hi,
these are nothing to worry about, and IPFire has always dropped these packets - they just were never logged, which is a considerable disadvantage when it comes to troubleshooting and debugging. DROP_CTINVALID was introduced in Core Update 164 to overcome this, but it did not change anything on the firewall engines’ behaviour.
No, that switch is the correct one.
Because reloading the firewall engine - which is what happens if firewall rules in the GUI are modified, and the “apply” butto…
EDIT:
