On Wed, 30 Jul 2008, Steven Jan Springl wrote: > On Wednesday 30 July 2008 16:41, Account for Debian group mail wrote: > > Hello, > > > > We just did an upgrade on one of our etch servers. It installed a bunch > > of new updates including a kernel-image 2.6.18-6-k7. This computer is > > running the Shorewall Firewall. Everything seemed to be working OK till we > > tried to ping the server. > > > > The firewall is set to let in pings every second: > > >From "rules" file inside shorewall - this has always worked: > > > > ACCEPT net $FW icmp 8 - - > > 1/sec > > > > What iptables-save shows: > > -A net2fw -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT > > -A net2fw -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT > > > > Should work! > > > > What syslog shows: > > Jul 30 08:12:19 spare kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= > > MAC=00:14:2a:4a:3c:cf:xx:xx:xx:25:1c:00:08:00 SRC=20x.10x.xxx.11 > > DST=20x.10x.xxx.38 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP > > TYPE=8 CODE=0 ID=32799 SEQ=8 > > (numbers change to protect the innocent) > > > > I change the "rules" file to: > > > > ACCEPT net $FW icmp 8 - - > > > > so it just accepts pings and it works just fine. > > > > Seems like something has changed in this new kernel-image. Is it possible > > that 1 second in the iptables stuff is no longer 1 second? Do I need to > > decrease or increase the time limit? Anyone else run into this? I would > > still like to limit the ping rates. > > > > Thanks, > > > > Ken > Ken > > I have just tried this with the updated 2.6.18-6-k7 kernel, but I cannot > re-create your problem. > > Steven.
Steven, Thanks for the reply. I went and configured Shorewall back the way it was and now it works fine. I rebooted the server and still it works the way it should. I know what it was doing and the logs prove me out. So all I can think now is that it is an intermittent problem - great. Again thanks for checking it out on your end. Ken -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
