On Tue, Mar 30, 2010 at 3:07 PM, <l...@puhti.com> wrote: > Hello folks > > I have following setup: > > DMZ public IP 4 > DMZ public IP 3 > | > Internet---br0, public IP 1 (eth0 is internet side and eth1 is DMZ side) > br0:0, public IP 2---nat (eth2)---private IP > > Problem is that sometimes (a 2-4 times in a day) DMZ public IP 3 cannot > make TCP connection to br0:0 public IP 2. The connection is lost from 5 > minutes to 5 hours and fixes by itself. Connection can be fixed manually > by running command "nmap public IP 2" from DMZ public IP3. ICMP and UDP > -protocols works fine. When system is broken and I try to make > tcp-connection from DMZ public IP 3 to public IP 2 and dumping eth2, I see > some of packets there. When system is working, no those backets can bee > seen on eth2. DMZ public IP 3 can connect all the time in other mentioned > IP:s. This system went broken when we removed all physdev-things from our > firewall and upgraded from etch to lenny. Does anybody have a clue what
sounds like you are having firewall issues, nmap is probably setting up connection tracking and allowing packets to flow again. What I don't understand is why you need to use bridging ? trying to save ip addresses ?? you can put iptables -j LOG ruiles in to test where packets are getting to, good rule of thumb is to log packets before drop/rejecting them physdev is important when you are firewalling bridge devices > could cause the broblem or at least what could I do to investigate this > problem more? > > System is Debian Lenny with default kernel 2.6.26-2-686 > > -Lauri- > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: > http://lists.debian.org/082ae19851cb6ef9852c548143c41206.squir...@ssl.puhti.com > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/836a6dcf1003300010v6bb49c2blc77041f0f35f5...@mail.gmail.com