On my home desktop I've managed to reproduce some garbled messages which should make for easier reproduction by others.
Instructions to reproduce this bug for demonstration purposes:
1. Take a common or garden Ubuntu Hardy desktop install with a single network interface, on a subnet with another (ideally linux) machine.
2. sudo apt-get -y install shorewall nmap
3. sudo cp /usr/share/doc/shorewall-common/examples/one-interface/{rules,interfaces,policy,zones} /etc/shorewall/
4. edit /etc/default/shorewall and set startup=1
5. edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes
6. Edit /etc/shorewall/policy and change _all_ lines to have policy "REJECT" with log level "info"
7. Edit /etc/shorewall/rules changing the Ping/REJECT to Ping/ACCEPT and add these lines
ACCEPT $FW net tcp 22
ACCEPT $FW net tcp 22
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 22
8. sudo /etc/init.d/shorewall restart
9. sudo ifconfig eth0:1 192.168.2.1 netmask 255.255.255.0
10. On the other linux machine run
sudo ifconfig eth0:1 192.168.2.2 netmask 255.255.255.0
11. nmap 192.168.2.2
12. On the other linux machine run
nmap 192.168.2.1
13. Look in /var/log/syslog and see do you get any garbled entries.
I have just done this and got garbled messages from the port scans in both directions (fw2net and net2fw):
I'm attaching a file which contains the syslog entries relevant to both port scans. You can see small garbage in the outgoing nmap but much larger garbage on the incoming portscan.
For some reason, this doesn't appear to happen when a DROP policy is in action, I only see it for REJECTs.
The above of course is just proof of concept and may seem a strange config. I'm seeing it on more sensibly configured machines too though.
On my home desktop I've managed to reproduce some garbled messages which should make for easier reproduction by others.
Instructions to reproduce this bug for demonstration purposes:
1. Take a common or garden Ubuntu Hardy desktop install with a single network interface, on a subnet with another (ideally linux) machine. doc/shorewall- common/ examples/ one-interface/ {rules, interfaces, policy, zones} /etc/shorewall/ shorewall and set startup=1 shorewall. conf and set STARTUP_ENABLED=Yes policy and change _all_ lines to have policy "REJECT" with log level "info" rules changing the Ping/REJECT to Ping/ACCEPT and add these lines d/shorewall restart
2. sudo apt-get -y install shorewall nmap
3. sudo cp /usr/share/
4. edit /etc/default/
5. edit /etc/shorewall/
6. Edit /etc/shorewall/
7. Edit /etc/shorewall/
ACCEPT $FW net tcp 22
ACCEPT $FW net tcp 22
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 22
8. sudo /etc/init.
9. sudo ifconfig eth0:1 192.168.2.1 netmask 255.255.255.0
10. On the other linux machine run
sudo ifconfig eth0:1 192.168.2.2 netmask 255.255.255.0
11. nmap 192.168.2.2
12. On the other linux machine run
nmap 192.168.2.1
13. Look in /var/log/syslog and see do you get any garbled entries.
I have just done this and got garbled messages from the port scans in both directions (fw2net and net2fw):
Sep 27 12:50:02 balti kernel: [ 957.257874] Shorewall: fw2net: REJECT: IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49089 DF PROTO=TCP SPT=47775 DPT=403 WINDOW=5840 RES=0x00 SYN URGP=0 fw2net: REJECT: IN= OUT=et549 DF PROTO=TCP SPT=54860 DPT=302 WINDOW=5840 RES=0x00 SYN URGP=0 fw2net: REJECT: IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9528 DF PROTO=TCP SPT=58089 DPT=727 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:50:02 balti kernel: [ 957.257912] Shorewall:
Sep 27 12:50:02 balti kernel: [ 957.260304] Shorewall:
Sep 27 12:53:18 balti kernel: [ 1151.778943] Shorewall: net2fw: REJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 MAC=00:30:1b:ae:a2: MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7= MAC=00:30:1b: MAC=00:30:1b:a= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192. MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20990 DF PROTOMAC= 00:30:1b: ae:a2AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08:00 SRC=192.168.2.2 DSTC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192. 168.2.2AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 0C=00:30: 1b:ae:a2: 2e:00:16: 6f:7c:25: 8a:08:00AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08:0AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08:AC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192. 168.AC= 00:30:1b: ae:a2:2e: 0AC=00: 30:1b:ae: a2:2eMAC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25 MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:MAC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08 MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 = MAC=00: 30:1b:ae: a2:2e: 7c:25:8a: 08:00 SRCT= MAC=00:30:1T= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=6= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DT= MAC=00:30:1b:ae:aT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=T= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: T= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2UT= MAC=00:30:1b:aOUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:70 OUT= MAC=00:h0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.16th0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16th0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=19eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: =eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 2N=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08JECT: IN=eth0 OUT= MAECT:IN=eth0 OUT= MAECT:IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00EJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2eECT: IN=eth0 OUT= MACJECT:IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2ECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: ECT:IN= eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64JECT:IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=JECT:IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:0EJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:EJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00REJECT: IN=eth0 OUT= MAC=00: 30:1b:aew: REJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:0w: REJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: w:REJECT: IN=eth0 fw:REJECT:IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6fet2fw: REJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2eet2fw: REJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: t2fw:REJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: at2fw:REJECT: INt2fw: REJECT: IN=eth0 OUT= M
=0x00 PREC=0x00 TTL=64 ID=4404 DF PROTO=TCP SPT=54174 DPT=813 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:53:18 balti kernel: [ 1151.780464]= MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2 MAC=00:
Sep 27 12:53:18 balti kernel: 0:16:6f:
Sep 27 12:53:18 balti kernel: N=eth0 OUT= MAC=00:3CT:IN=eth0 OUT= MAC=00:
I'm attaching a file which contains the syslog entries relevant to both port scans. You can see small garbage in the outgoing nmap but much larger garbage on the incoming portscan.
For some reason, this doesn't appear to happen when a DROP policy is in action, I only see it for REJECTs.
The above of course is just proof of concept and may seem a strange config. I'm seeing it on more sensibly configured machines too though.
Gavin