From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: ssh connections stalling
Date: Fri, 23 Oct 2009 10:05:10 +0200 [thread overview]
Message-ID: <4AE163B6.9040706@chello.at> (raw)
In-Reply-To: <alpine.LNX.2.00.0910221138180.21365@spider.phas.ubc.ca>
netfilter-owner@vger.kernel.org wrote:
> I'm having some troubles with what should be a very simple firewall to
> simply protect a local machine. When the firewall is enabled, ssh and
> scp connections will sometimes hang indefinitely. I've tried
> configuring the firewall (which blocks all incoming requests to ports
> 0:1023 except ssh and icmp) with several different tools: firehol, ufw
> and lutelwall. If the firewall is turned off, the problem
> disappears. With lutelwall there is an option to create a
> non-stateful firewall - if that is done, the problem also disappears.
>
> My syslog does show dropped packets that appear to be the cause of the
> problem. From tcpdumps at both ends of the connection it looks like
> the problem happens if large packets are sent out from behind the
> firewall and then arrive in pieces at the other end with a piece
> missing. ack packets coming back in are dropped, and the connection
> never recovers.
>
> Any help in diagnosing this would be much appreciated.
>
> Carl
Hello,
The rules you showed us, would all allow a local ssh server, so the
ruleset is not the problem.
What confuses me, you talk about packets from behind the firewall, but
your rulesets don't show any FORWARD rules that would even allow ssh.
If you would have, I'd say the problem may be fixable using the TCPMSS
target:
TCPMSS
[...]
This target is used to overcome criminally braindead ISPs or
servers which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too
Big" packets. The
symptoms of this problem are that everything works fine from your
Linux firewall/router, but machines behind it can never exchange large
packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
[...]
If you need rules for a non routing (forwarding) machine, why do you
talk about 'behind the firewall'?
Otherwise it's something else, than the ruleset.
Log outputs? tcpdumps? Distro? Kernel? iptables version?
Regards
Mart
next prev parent reply other threads:[~2009-10-23 8:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-22 18:45 ssh connections stalling Carl Michal
2009-10-22 20:24 ` Karl Hiramoto
2009-10-22 20:36 ` Carl Michal
2009-10-23 7:10 ` Rob Sterenborg
2009-10-23 10:29 ` Karl Hiramoto
2009-10-22 23:31 ` Carl Michal
2009-10-23 8:05 ` Mart Frauenlob [this message]
2009-10-23 17:32 ` Carl Michal
2009-10-23 18:10 ` Jozsef Kadlecsik
2009-10-23 18:49 ` Carl Michal
2009-10-23 19:57 ` Carl Michal
2009-10-23 21:42 ` Jozsef Kadlecsik
2009-10-23 22:22 ` Carl Michal
2009-10-23 23:58 ` Steven Kath
2009-10-24 6:44 ` Carl Michal
2009-10-24 7:21 ` Payam Chychi
2009-10-24 17:24 ` Jozsef Kadlecsik
2009-10-24 20:58 ` Carl Michal
2009-10-26 4:37 ` Carl Michal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AE163B6.9040706@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.