From: Rusty Russell <rusty@rustcorp.com.au>
To: "Jeffrey W. Baker" <jwbaker@acm.org>
Cc: trever_adams@yahoo.com, linux-kernel@vger.kernel.org
Subject: Re: iptables in 2.4.10, 2.4.11pre6 problems
Date: Wed, 10 Oct 2001 13:55:03 +1000 [thread overview]
Message-ID: <20011010135503.4f5c06b9.rusty@rustcorp.com.au> (raw)
In-Reply-To: <Pine.LNX.4.33.0110091005540.209-100000@desktop>
In-Reply-To: <1002646705.2177.9.camel@aurora> <Pine.LNX.4.33.0110091005540.209-100000@desktop>
On Tue, 9 Oct 2001 10:07:05 -0700 (PDT)
"Jeffrey W. Baker" <jwbaker@acm.org> wrote:
> On 9 Oct 2001, Trever L. Adams wrote:
>
> > I am seeing messages such as:
> >
> > Oct 9 12:52:51 smeagol kernel: Firewall:IN=ppp0 OUT= MAC=
> > SRC=64.152.2.36 DST=MY_IP_ADDRESS LEN=52 TOS=0x00 PREC=0x00 TTL=246
> > ID=1093 DF PROTO=TCP SPT=80 DPT=33157 WINDOW=34752 RES=0x00 ACK FIN
> > URGP=0
> >
> > In my firewall logs. I see them for ACK RST as well. These are valid
> > connections. My rules follow for the most part (a few allowed
> > connections to the machine in question have been removed from the
> > list). This often leaves open connections in a half closed state on
> > machines behind this firewall. It also some times kills totally open
> > connections and I see packets rejected that should be allowed through.
>
> I see this too. iptables is refusing packets on locally-initiated TCP
> connections when the RELATED,ESTABLISHED rule should be letting them
> through.
Yes, but it has forgotten them. Play with the TCP timeout numbers in
net/ipv4/netfilter/ip_conntrack_proto_tcp.c. Especially the 60 seconds for
TCP_CONNTRACK_CLOSE_WAIT for the ACK FIN case. These numbers were stolen
from the 2.0 and 2.2 masq code, which had real world testing (but didn't
report failures, so...)
Given some actual feedback on appropriate numbers, this can be fed as a
patch to Linus...
Hope that helps,
Rusty.
next prev parent reply other threads:[~2001-10-10 3:59 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-09 16:58 iptables in 2.4.10, 2.4.11pre6 problems Trever L. Adams
2001-10-09 17:07 ` Jeffrey W. Baker
2001-10-09 17:30 ` Trever L. Adams
2001-10-09 18:31 ` Jeffrey W. Baker
2001-10-09 18:40 ` Trever L. Adams
2001-10-09 20:48 ` Jeffrey W. Baker
2001-10-09 22:00 ` Trever L. Adams
2001-10-09 22:46 ` Luigi Genoni
2001-10-09 22:49 ` Trever L. Adams
2001-10-09 23:02 ` Luigi Genoni
2001-10-09 23:05 ` Jeffrey W. Baker
2001-10-09 23:40 ` Luigi Genoni
2001-10-10 8:45 ` Sebastian Benoit
2001-10-10 3:55 ` Rusty Russell [this message]
2001-10-19 13:18 ` Darrell A Escola
2001-10-24 4:25 ` Rusty Russell
2001-10-28 16:45 ` Michael Rash
2001-10-09 17:40 ` Wilson
2001-10-09 18:43 ` Trever L. Adams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20011010135503.4f5c06b9.rusty@rustcorp.com.au \
--to=rusty@rustcorp.com.au \
--cc=jwbaker@acm.org \
--cc=linux-kernel@vger.kernel.org \
--cc=trever_adams@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox