On Wed, 24 Nov 2010, Dave Sparks wrote: > I noticed a problem that happens on all our firewalls (various 2.6 and > Shorewall version) where sometimes the final packet in a conversation > will not be natted. What happens is the src IP is not rewritten, and > the rfc1918 src address is sent to the internet. > > I've pasted a tcpdump from the firewall below (sorry I had to elide the > IPs). I have used "tcpdump -i any" so packets both in and out of the > firewall are shown. The important packet is the very last one. It > didn't get its src IP rewritten, and was emitted on the internet eth > with a rfc1918 src IP. I guess the packet in question has got INVALID state: those are not NAT-ed (being INVALID, cannot be). So add a rule which drops INVALID packets. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
