Re: connection dropouts

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: "T. Horsnell (tsh)" <tsh@mrc-lmb.cam.ac.uk>
Cc: netfilter@lists.netfilter.org
Subject: Re: connection dropouts
Date: Fri, 27 Feb 2004 17:44:57 +1000	[thread overview]
Message-ID: <403EF579.80907@snapgear.com> (raw)
In-Reply-To: <E1AwOAt-001GiC-A2@alf1.lmb.internal>

T. Horsnell (tsh) wrote:
> tcp      6 431253 ESTABLISHED src=10.2.0.4 dst=131.111.85.78 sport=49278 dport=143 [UNREPLIED] src=131.111.85.78 dst=10.2.0.4 sport=143 dport=49278 use=1
> 
> 'ESTABLISHED' 'UNREPLIED' seems an odd combination to me.

This is happening when the firewall only sees packets travelling in
one direction.  That is, 10.2.0.4 uses the firewall as its gateway
to talk to 131.111.85.78, but since 131.11.85.78 knows about the
10.x.x.x network, it replies directly to 10.2.0.4, so the firewall
is missing half of the conversation.  It doesn't look to me like this
particular connection has hanged.

Do you have any DNAT rules on the firewall?  This kind of assymetrical
routing does cause problems with DNAT, since the firewall doesn't get
a chance to reverse the DNAT in the reply packets, and the symptom is
that the connection hangs.

> I dont yet know why traffic between our 10. hosts and our
> 131.111 hosts should generate a conntrack entry at all...

If the packets go via the firewall, then a conntrack entry will
always be created.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

next prev parent reply	other threads:[~2004-02-27  7:44 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-02-25 19:05 connection dropouts T. Horsnell (tsh)
2004-02-26  9:00 ` Philip Craig
2004-02-26 16:15   ` T. Horsnell (tsh)
2004-02-27  7:44     ` Philip Craig [this message]
2004-02-27 17:28       ` T. Horsnell (tsh)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=403EF579.80907@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=tsh@mrc-lmb.cam.ac.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.