[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Browser disconnects with eBay
I'm behind a firewall, and pretty regularly, I'll get dropped connections with eBay,
(cg1.ebay.com, pages.ebay.com, etc.). I'm behind a firewall, and doing
SNAT (Typical outbound stuff - I run a 192.168 inside, and have a fixed IP outside).
Does anyone else have these sorts of problems? My firewall logs show all sorts
of traffic like the following:
> Sep 2 16:31:48 badpkt:DROP:IN=eth0 OUT=eth1
Packet hosed, came in on 0 (outside interface), and going out on 1 (inside interface).
So far I understand this.
> SRC=216.32.120.133
This originating IP is pages.ebay.com. So far, OK.
> DST=192.168.1.2
This is my internal NATed address. So far, OK.
> LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=28516
I don't think these have much informational value, and I only understand what the LEN, TTL, and ID fields are. So far, OK.
> PROTO=TCP
OK. We're using TCP here.
> SPT=80 DPT=2970
They're connecting from their webserver (hence the source port (SPT) of 80).
The destination port (DPT) I'm guessing is on my machine. So far, OK.
> WINDOW=0 RES=0x00 ACK URGP=0
I'm not sure if these have any value either.
Anyone have any ideas as to why the firewall is seeing this as a "bad packet" and dropping the connection?
I can't see why it's dropping the connection.
Can I fix it? Or is eBay doing weird DNS/load balancing stuff that's not really working right, and I'm just SOL?
Here's the output of an 'iptables -L' if that helps:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
eth2_in all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
all2all all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere
Chain @net2all (3 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 10/sec burst 40
DROP all -- anywhere anywhere
Chain all2all (7 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain badpkt (4 references)
target prot opt source destination
LOG tcp -- anywhere anywhere LOG level info tcp-options ip-options prefix `Shorewall:badpkt:DROP:'
DROP tcp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:badpkt:DROP:'
DROP all -- anywhere anywhere
Chain blacklst (4 references)
target prot opt source destination
DROP all -- 12.124.134.110 anywhere
DROP all -- 208.254.24.196 anywhere
DROP all -- 12.125.43.134 anywhere
Chain common (5 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
icmpdef icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere state INVALID
REJECT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:microsoft-ds reject-with icmp-port-unreachable
reject tcp -- anywhere anywhere tcp dpt:135
DROP udp -- anywhere anywhere udp dpt:1900
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
reject tcp -- anywhere anywhere tcp dpt:auth
DROP udp -- anywhere anywhere udp spt:domain state NEW
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable
DROP all -- anywhere fw0
DROP all -- anywhere 192.168.1.255
DROP all -- anywhere 192.168.2.255
Chain dynamic (6 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
badpkt all -- anywhere anywhere unclean
rfc1918 all -- anywhere anywhere
blacklst all -- anywhere anywhere
net2loc all -- anywhere anywhere
net2wap all -- anywhere anywhere
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
badpkt all -- anywhere anywhere unclean
rfc1918 all -- anywhere anywhere
blacklst all -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
loc2net all -- anywhere anywhere
loc2wap all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT icmp -- anywhere anywhere icmp echo-request
loc2fw all -- anywhere anywhere
Chain eth2_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
badpkt all -- anywhere anywhere unclean
blacklst all -- anywhere anywhere
wap2net all -- anywhere anywhere
all2all all -- anywhere anywhere
Chain eth2_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
badpkt all -- anywhere anywhere unclean
blacklst all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
wap2fw all -- anywhere anywhere
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
all2all all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ntp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:cvspserver
ACCEPT udp -- anywhere anywhere state NEW udp dpt:cvspserver
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nicname
ACCEPT icmp -- anywhere anywhere icmp echo-request
all2all all -- anywhere anywhere
Chain icmpdef (1 references)
target prot opt source destination
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:time
ACCEPT udp -- anywhere anywhere state NEW udp dpt:time
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ntp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:cvspserver
ACCEPT udp -- anywhere anywhere state NEW udp dpt:cvspserver
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:snmp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
all2all all -- anywhere anywhere
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere state NEW tcp dpt:ircd LOG level info prefix `Shorewall:loc2net:REJECT:'
reject tcp -- anywhere anywhere state NEW tcp dpt:ircd
LOG tcp -- anywhere anywhere state NEW tcp spt:ftp-data dpts:1024:65535 LOG level info prefix `Shorewall:loc2net:ACCEPT:'
ACCEPT tcp -- anywhere anywhere state NEW tcp spt:ftp-data dpts:1024:65535
ACCEPT all -- anywhere anywhere
Chain loc2wap (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere
Chain logdrop (37 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:rfc1918:DROP:'
DROP all -- anywhere anywhere
Chain net2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
@net2all tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT icmp -- anywhere dark.sluug.org icmp echo-request
DROP tcp -- anywhere anywhere state NEW tcp dpt:ms-sql-s
DROP tcp -- anywhere anywhere state NEW tcp dpt:smtp
DROP tcp -- anywhere anywhere state NEW tcp dpt:ftp
net2all all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
@net2all tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:4000:4100
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:auth
reject tcp -- anywhere anywhere state NEW tcp dpt:http
DROP tcp -- anywhere anywhere state NEW tcp dpt:nfs
DROP udp -- anywhere anywhere state NEW udp dpt:nfs
DROP tcp -- anywhere anywhere state NEW tcp dpt:xfs
DROP tcp -- anywhere anywhere state NEW tcp dpts:x11:6009
DROP tcp -- anywhere anywhere state NEW tcp dpt:printer
DROP udp -- anywhere anywhere state NEW udp dpt:printer
DROP tcp -- anywhere anywhere state NEW tcp dpt:sunrpc
DROP udp -- anywhere anywhere state NEW udp dpt:sunrpc
net2all all -- anywhere anywhere
Chain net2wap (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
@net2all tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere state NEW tcp dpt:nfs
DROP udp -- anywhere anywhere state NEW udp dpt:nfs
DROP tcp -- anywhere anywhere state NEW tcp dpt:xfs
DROP tcp -- anywhere anywhere state NEW tcp dpts:x11:6009
DROP tcp -- anywhere anywhere state NEW tcp dpt:printer
DROP udp -- anywhere anywhere state NEW udp dpt:printer
DROP tcp -- anywhere anywhere state NEW tcp dpt:sunrpc
DROP udp -- anywhere anywhere state NEW udp dpt:sunrpc
net2all all -- anywhere anywhere
Chain newnotsyn (12 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain reject (8 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
target prot opt source destination
RETURN all -- 255.255.255.255 anywhere
DROP all -- 169.254.0.0/16 anywhere
logdrop all -- 172.16.0.0/12 anywhere
logdrop all -- 192.0.2.0/24 anywhere
logdrop all -- 192.168.0.0/16 anywhere
logdrop all -- 0.0.0.0/7 anywhere
logdrop all -- 2.0.0.0/8 anywhere
logdrop all -- 5.0.0.0/8 anywhere
logdrop all -- 7.0.0.0/8 anywhere
logdrop all -- 10.0.0.0/8 anywhere
logdrop all -- 23.0.0.0/8 anywhere
logdrop all -- 27.0.0.0/8 anywhere
logdrop all -- 31.0.0.0/8 anywhere
logdrop all -- 36.0.0.0/7 anywhere
logdrop all -- 39.0.0.0/8 anywhere
logdrop all -- 41.0.0.0/8 anywhere
logdrop all -- 42.0.0.0/8 anywhere
logdrop all -- 58.0.0.0/7 anywhere
logdrop all -- 60.0.0.0/8 anywhere
logdrop all -- 70.0.0.0/7 anywhere
logdrop all -- 72.0.0.0/5 anywhere
logdrop all -- 82.0.0.0/7 anywhere
logdrop all -- 84.0.0.0/6 anywhere
logdrop all -- 88.0.0.0/5 anywhere
logdrop all -- 96.0.0.0/3 anywhere
logdrop all -- 127.0.0.0/8 anywhere
logdrop all -- 197.0.0.0/8 anywhere
logdrop all -- 222.0.0.0/7 anywhere
logdrop all -- 240.0.0.0/4 anywhere
logdrop all -- 1.0.0.0/8 anywhere
logdrop all -- 69.0.0.0/8 anywhere
logdrop all -- 71.0.0.0/8 anywhere
logdrop all -- 112.0.0.0/5 anywhere
logdrop all -- 120.0.0.0/6 anywhere
logdrop all -- 128.0.0.0/16 anywhere
logdrop all -- 201.0.0.0/8 anywhere
logdrop all -- 221.0.0.0/8 anywhere
logdrop all -- 223.0.0.0/8 anywhere
logdrop all -- BASE-ADDRESS.MCAST.NET/4 anywhere
Chain shorewall (0 references)
target prot opt source destination
Chain wap2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:time
ACCEPT udp -- anywhere anywhere state NEW udp dpt:time
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ntp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
all2all all -- anywhere anywhere
Chain wap2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere state NEW tcp spt:ftp-data dpts:1024:65535 LOG level info prefix `Shorewall:wap2net:ACCEPT:'
ACCEPT tcp -- anywhere anywhere state NEW tcp spt:ftp-data dpts:1024:65535
all2all all -- anywhere anywhere
Mike808/
--
() Join the ASCII ribbon campaign against HTML email and Microsoft-specific
/\ attachments. If I wanted to read HTML, I would have visited your website!
Support open standards.
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.