FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-30-2008, 03:41 PM
Account for Debian group mail
 
Default kernel-image-2.6-k7 and Shorewall firewall

Hello,

We just did an upgrade on one of our etch servers. It installed a bunch
of new updates including a kernel-image 2.6.18-6-k7. This computer is
running the Shorewall Firewall. Everything seemed to be working OK till we
tried to ping the server.

The firewall is set to let in pings every second:

>From "rules" file inside shorewall - this has always worked:
ACCEPT net $FW icmp 8 - - 1/sec

What iptables-save shows:
-A net2fw -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT

Should work!

What syslog shows:
Jul 30 08:12:19 spare kernel: Shorewall:net2fwROP:IN=eth0 OUT=
MAC=00:14:2a:4a:3c:cf:xx:xx:xx:25:1c:00:08:00 SRC=20x.10x.xxx.11
DST=20x.10x.xxx.38 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=32799 SEQ=8
(numbers change to protect the innocent)

I change the "rules" file to:

ACCEPT net $FW icmp 8 - -

so it just accepts pings and it works just fine.

Seems like something has changed in this new kernel-image. Is it possible
that 1 second in the iptables stuff is no longer 1 second? Do I need to
decrease or increase the time limit? Anyone else run into this? I would
still like to limit the ping rates.

Thanks,

Ken



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-30-2008, 08:35 PM
Steven Jan Springl
 
Default kernel-image-2.6-k7 and Shorewall firewall

On Wednesday 30 July 2008 16:41, Account for Debian group mail wrote:
> Hello,
>
> We just did an upgrade on one of our etch servers. It installed a bunch
> of new updates including a kernel-image 2.6.18-6-k7. This computer is
> running the Shorewall Firewall. Everything seemed to be working OK till we
> tried to ping the server.
>
> The firewall is set to let in pings every second:
> >From "rules" file inside shorewall - this has always worked:
>
> ACCEPT net $FW icmp 8 - -
> 1/sec
>
> What iptables-save shows:
> -A net2fw -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
> -A net2fw -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
>
> Should work!
>
> What syslog shows:
> Jul 30 08:12:19 spare kernel: Shorewall:net2fwROP:IN=eth0 OUT=
> MAC=00:14:2a:4a:3c:cf:xx:xx:xx:25:1c:00:08:00 SRC=20x.10x.xxx.11
> DST=20x.10x.xxx.38 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=32799 SEQ=8
> (numbers change to protect the innocent)
>
> I change the "rules" file to:
>
> ACCEPT net $FW icmp 8 - -
>
> so it just accepts pings and it works just fine.
>
> Seems like something has changed in this new kernel-image. Is it possible
> that 1 second in the iptables stuff is no longer 1 second? Do I need to
> decrease or increase the time limit? Anyone else run into this? I would
> still like to limit the ping rates.
>
> Thanks,
>
> Ken
Ken

I have just tried this with the updated 2.6.18-6-k7 kernel, but I cannot
re-create your problem.

Steven.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-31-2008, 02:02 AM
Account for Debian group mail
 
Default kernel-image-2.6-k7 and Shorewall firewall

On Wed, 30 Jul 2008, Steven Jan Springl wrote:

> On Wednesday 30 July 2008 16:41, Account for Debian group mail wrote:
> > Hello,
> >
> > We just did an upgrade on one of our etch servers. It installed a bunch
> > of new updates including a kernel-image 2.6.18-6-k7. This computer is
> > running the Shorewall Firewall. Everything seemed to be working OK till we
> > tried to ping the server.
> >
> > The firewall is set to let in pings every second:
> > >From "rules" file inside shorewall - this has always worked:
> >
> > ACCEPT net $FW icmp 8 - -
> > 1/sec
> >
> > What iptables-save shows:
> > -A net2fw -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
> > -A net2fw -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
> >
> > Should work!
> >
> > What syslog shows:
> > Jul 30 08:12:19 spare kernel: Shorewall:net2fwROP:IN=eth0 OUT=
> > MAC=00:14:2a:4a:3c:cf:xx:xx:xx:25:1c:00:08:00 SRC=20x.10x.xxx.11
> > DST=20x.10x.xxx.38 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=32799 SEQ=8
> > (numbers change to protect the innocent)
> >
> > I change the "rules" file to:
> >
> > ACCEPT net $FW icmp 8 - -
> >
> > so it just accepts pings and it works just fine.
> >
> > Seems like something has changed in this new kernel-image. Is it possible
> > that 1 second in the iptables stuff is no longer 1 second? Do I need to
> > decrease or increase the time limit? Anyone else run into this? I would
> > still like to limit the ping rates.
> >
> > Thanks,
> >
> > Ken
> Ken
>
> I have just tried this with the updated 2.6.18-6-k7 kernel, but I cannot
> re-create your problem.
>
> Steven.

Steven,

Thanks for the reply. I went and configured Shorewall back the way it was
and now it works fine. I rebooted the server and still it works the way
it should. I know what it was doing and the logs prove me out. So all I
can think now is that it is an intermittent problem - great.

Again thanks for checking it out on your end.

Ken


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 10:53 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org