Discussion:
[Shorewall-users] (no subject)
Will Lowe
2017-05-12 04:06:40 UTC
Permalink
Can someone help me understand this particular log message? It is from a
Ricoh Printer on my main net to a computer on an adjacent net which is also
under my control.. Neither the printer nor this computer should be
communicating with each other for any reason. The computer is not maned by
anyone. I've checked with Ricoh and they cannot explain it. And, secondly,
why would Shorewall react to anything not meant to go through it?

Shorewall:FORWARD:REJECT:IN=enp5s2 OUT=enp5s2
MAC=00:0e:04:24:45:85:00:26:73:9b:d1:c9:08:00 SRC=192.168.1.222
DST=192.168.3.25 LEN=109 TOS=0x00 PREC=0x00 TTL=63 ID=39208 PROTO=UDP
SPT=161 DPT=61532 LEN=89
Roberto C. Sánchez
2017-05-12 04:20:50 UTC
Permalink
Post by Will Lowe
Can someone help me understand this particular log message? It is from a
Ricoh Printer on my main net to a computer on an adjacent net which is
also under my control.. Neither the printer nor this computer should be
communicating with each other for any reason. The computer is not maned by
anyone. I've checked with Ricoh and they cannot explain it. And, secondly,
why would Shorewall react to anything not meant to go through it?
Shorewall:FORWARD:REJECT:IN=enp5s2 OUT=enp5s2
MAC=00:0e:04:24:45:85:00:26:73:9b:d1:c9:08:00 SRC=192.168.1.222
DST=192.168.3.25 LEN=109 TOS=0x00 PREC=0x00 TTL=63 ID=39208 PROTO=UDP
SPT=161 DPT=61532 LEN=89
I am not sure why your printer is trying to communicate in this manner.
Shorewall's behavior is a result of the source and destination addresses
being accessible through the same interface and that you probably have
not set the routeback option on the interface (enp5s2 in this case).

By default Shorewall will not send packets out the same interface which
they entered.

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Will Lowe
2017-05-12 04:46:40 UTC
Permalink
Thank you, I did overlook that.
Post by Will Lowe
Post by Will Lowe
Can someone help me understand this particular log message? It is
from a
Post by Will Lowe
Ricoh Printer on my main net to a computer on an adjacent net which is
also under my control.. Neither the printer nor this computer should
be
Post by Will Lowe
communicating with each other for any reason. The computer is not
maned by
Post by Will Lowe
anyone. I've checked with Ricoh and they cannot explain it. And,
secondly,
Post by Will Lowe
why would Shorewall react to anything not meant to go through it?
Shorewall:FORWARD:REJECT:IN=enp5s2 OUT=enp5s2
MAC=00:0e:04:24:45:85:00:26:73:9b:d1:c9:08:00 SRC=192.168.1.222
DST=192.168.3.25 LEN=109 TOS=0x00 PREC=0x00 TTL=63 ID=39208 PROTO=UDP
SPT=161 DPT=61532 LEN=89
I am not sure why your printer is trying to communicate in this manner.
Shorewall's behavior is a result of the source and destination addresses
being accessible through the same interface and that you probably have
not set the routeback option on the interface (enp5s2 in this case).
By default Shorewall will not send packets out the same interface which
they entered.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Bill Shirley
2017-05-12 10:44:38 UTC
Permalink
I have several servers where I'm seeing this. Here's my understanding of the problem:
1) at some time in the past there was a printer at 192.168.3.25 which has now moved (probably DHCP)
2) at that time, the Windows PC at 192 168.1.222 latched onto that address
3) now that Windows PC can't find the printer via arp so it's sending this traffic to Mr. Gateway because he knows everything
4) as Roberto said, you don't have the routeback option set on the interface so Shorewall complains

Your situation differs from mine. Either you have to subnets on the same interface (192.168.1.0/24 and 192.168.3.0/24) or
your subnet prefix is something like a /22.

Is there a printer at 192.168.3.25?

Try visiting the PC and looking at it's printers to see if it is using an address instead of a hostname. Configure the
routeback options on the interface and add appropriate rules:
DROP loc loc tcp,udp snmp

Bill
Post by Will Lowe
Thank you, I did overlook that.
Post by Will Lowe
Can someone help me understand this particular log message? It is from a
Ricoh Printer on my main net to a computer on an adjacent net which is
also under my control.. Neither the printer nor this computer should be
communicating with each other for any reason. The computer is not maned by
anyone. I've checked with Ricoh and they cannot explain it. And, secondly,
why would Shorewall react to anything not meant to go through it?
Shorewall:FORWARD:REJECT:IN=enp5s2 OUT=enp5s2
MAC=00:0e:04:24:45:85:00:26:73:9b:d1:c9:08:00 SRC=192.168.1.222
DST=192.168.3.25 LEN=109 TOS=0x00 PREC=0x00 TTL=63 ID=39208 PROTO=UDP
SPT=161 DPT=61532 LEN=89
I am not sure why your printer is trying to communicate in this manner.
Shorewall's behavior is a result of the source and destination addresses
being accessible through the same interface and that you probably have
not set the routeback option on the interface (enp5s2 in this case).
By default Shorewall will not send packets out the same interface which
they entered.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto <http://people.connexer.com/%7Eroberto>
http://www.connexer.com
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Simon Hobson
2017-05-12 09:48:00 UTC
Permalink
Can someone help me understand this particular log message? It is from a Ricoh Printer on my main net to a computer on an adjacent net which is also under my control.. Neither the printer nor this computer should be communicating with each other for any reason. The computer is not maned by anyone. I've checked with Ricoh and they cannot explain it. And, secondly, why would Shorewall react to anything not meant to go through it?
Shorewall:FORWARD:REJECT:IN=enp5s2 OUT=enp5s2 MAC=00:0e:04:24:45:85:00:26:73:9b:d1:c9:08:00 SRC=192.168.1.222 DST=192.168.3.25 LEN=109 TOS=0x00 PREC=0x00 TTL=63 ID=39208 PROTO=UDP SPT=161 DPT=61532 LEN=89
UDP port 161 is SNMP. I'll hazard a guess that the computer is looking for printers automatically - most OSs these days default to using SNMP to query the printer for various information. Even though you might not be expecting any communication, the printer will almost certainly be broadcasting it's presence with mDNS (lookup Zeroconf, aka Bonjour) - hence the computer will find out about it even though they are on different subnets (but same broadcast domain).
Continue reading on narkive:
Loading...