From: Mohamed Eldesoky <eldesoky.lists@gmail.com>
To: Andrew <andrewna@mymcsb.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Problem downloading large files from Apache from far
Date: Wed, 27 Jul 2005 14:03:34 +0300 [thread overview]
Message-ID: <1403218a05072704033f9504e0@mail.gmail.com> (raw)
In-Reply-To: <NJBBIPFCOLMFJFKBPLDMAEJJCCAA.andrewna@mymcsb.com>
Is the Cisco PIX blocking ICMP
On 7/27/05, Andrew <andrewna@mymcsb.com> wrote:
> Hi,
>
> I'm running Fedora Core 4 (Linux 2.6.11) with netfilter 1.30.
> I've setup apache 2.54 to run at port 80.
>
> Basically when downloading large files(or pages) from apache, the download
> stalls after the first few kilobytes or so.
>
> The configuration for the firewall in /etc/sysconfig/iptables is:
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A OUTPUT -j ACCEPT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-port-unreachable
> COMMIT
>
> The solution is to add set port 80 to allow INVALID packets:
>
> -A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID -m
> tcp -p tcp --dport 80 -j ACCEPT
>
> But the question is, why are subsequent packets coming from the remote
> machine being identified as INVALID? Will allowing INVALID packets cause
> other problems?
>
> The Linux machine is actually behind another Cisco PIX firewall. Could the
> hardware firewall be translating the packets wrongly? Any ideas?
>
> Regards,
>
> Andrew
>
>
>
>
--
Mohamed Eldesoky
www.eldesoky.net
RHCE
next prev parent reply other threads:[~2005-07-27 11:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.0.1122427457.12364.netfilter@lists.netfilter.org>
2005-07-27 1:21 ` Problem downloading large files from Apache from far Andrew
2005-07-27 11:03 ` Mohamed Eldesoky [this message]
2005-07-28 0:47 ` Andrew
2005-07-28 11:56 ` John A. Sullivan III
2005-07-28 5:04 ` curby .
2005-07-28 7:18 ` Andrew
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1403218a05072704033f9504e0@mail.gmail.com \
--to=eldesoky.lists@gmail.com \
--cc=andrewna@mymcsb.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.