Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Peter Bieringer <pb@bieringer.de>
To: Maillist netdev <netdev@oss.sgi.com>
Subject: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
Date: Mon, 22 Apr 2002 08:47:13 +0200	[thread overview]
Message-ID: <22830000.1019458033@localhost> (raw)

Hi,

I found a for me strange issue and need help to dig a little bit into
because I'm running out of knowledge.

Pls. don't comment the use of commercial firewalls on Linux ;-)

Running a Check Point Firewall (NG FP-2) on Linux (RHL kernel
2.4.9-31, OpenSSH 2.9 and 3.1) this loads its big firewall module
into the kernel. 

First question: 
how can I check, which kernel network hooks it use? Are there any
tools available?

Now further on...

"No problem" scenario:
Linux is IPv4-only, openssh bound to 0.0.0.0, incoming SSH traffic is
accepted and CP state table is updated

"Problematic" scenario:
Linux has ipv6 module loaded, openssh bound to ::, now following
happen:

incoming SSH traffic (still IPv4) is accepted, CP updates the initial
connection timer but never update its state table to state
"established". The initial timer is still updated after each
keystroke, but if timeout occurs (default 60s), the connection will
break.

Looks like CP never sees (or recognizes) packets leaving the
firewalled host from a dual-stack application.

Second question:
Can I trace such issues? Is there a toolset available which shows me
which way a packet run in network kernel?

BTW: incoming SSH traffic via IPv6 is completly unrecognized and
therefore quietly accepted. Looks like CP never sees or recognize
incoming IPv6 packets at all - same issue, if on a IPv4-netfiltererd
box the IPv6-netfilter was forgotten...

TIA,
        Peter

next             reply	other threads:[~2002-04-22  6:47 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-04-22  6:47 Peter Bieringer [this message]
2002-04-22  7:22 ` Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6 Andi Kleen
2002-04-22  8:53   ` Peter Bieringer
2002-04-22 10:06     ` Andi Kleen
2002-04-22 12:47       ` Peter Bieringer
2002-04-22 12:54         ` Andi Kleen
2002-04-22 13:05   ` Peter Bieringer
2002-04-22 13:08     ` Andi Kleen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=22830000.1019458033@localhost \
    --to=pb@bieringer.de \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).