pt in a single minor release. So I've backed out the code
> from the earlier betas and have implemented the more modest change
> requested by Jonathan Underwood. This change allows specification of the
> installation directories (within /usr) of executable scripts and Perl
> modul
On 27/05/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
> The problem is caused by 'out-of-window' packets. So to totally analyze
> the problem, you may have to capture:
>
> a) The SCP stream on the outer interface of the other firewall.
> b) The SCP stream on the outer interface of the Shorewall box.
>
On 26/05/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
> Note that if the ACCEPT rule has no 'limit' then the INVALID packets are
> accepted and the problem magically goes away. But because these packets
> occur regularly, they eventually exhaust any imposed 'limit' and the
> connection then stalls.
J
On 26/05/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
> A couple of things.
>
> a) You are using the RATE LIMIT column of the rules file to limit SSH.
> That is *not* recommended. Rather, we prefer the 'Limit' built-in
> action. The former limits the total number of connections from all
> sources whil
On 26/05/07, Andrew Suffield <[EMAIL PROTECTED]> wrote:
tcpdump -w just saves the traffic to a file. Saving the wireshark
capture does exactly the same thing, it's just easier to install
tcpdump; either way will work fine. Posting the captures so we can
look at it is probably the only thing left
Another thing that may help as a sanity check is that at the point
where an scp is stalling, on the server there are no entries under
/proc/net/ipt_recent
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C
On 26/05/07, Andrew Suffield <[EMAIL PROTECTED]> wrote:
> On Fri, May 25, 2007 at 05:17:09PM -0400, Roberto C. S?nchez wrote:
> > On Fri, May 25, 2007 at 08:24:00PM +0100, Jonathan Underwood wrote:
> > >
> > > oh. Duh. I'm dumb - they're obviously
On 25/05/07, Brian J. Murrell <[EMAIL PROTECTED]> wrote:
> Maybe a silly question, and maybe covered at the start of the thread,
> but does this all work without shorewall installing a ruleset? i.e. if
> you do a "shorewall clear" does everything magically work again?
>
Yes, issuing a shorewall c
On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> On Fri, May 25, 2007 at 08:24:00PM +0100, Jonathan Underwood wrote:
> >
> > oh. Duh. I'm dumb - they're obviously the messages corresponding to
> > the ssh session I have open to examine the logs on t
On 25/05/07, Jonathan Underwood <[EMAIL PROTECTED]> wrote:
> On 25/05/07, Simon Hobson <[EMAIL PROTECTED]> wrote:
> > Jonathan Underwood wrote:
> > > SSH/ACCEPT net $FW - - - -3/min:3
> >
> > I would add logging to that statement
On 25/05/07, Simon Hobson <[EMAIL PROTECTED]> wrote:
> Jonathan Underwood wrote:
> > SSH/ACCEPT net $FW - - - -3/min:3
>
> I would add logging to that statement and see what happens.
> eg:
>
> SSH/ACCEPT:info net $FW - - - -
On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> On Fri, May 25, 2007 at 06:07:17PM +0100, Jonathan Underwood wrote:
> > On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> > > That helps. If it is stalled, that means that scp (ssh, in fac
On 25/05/07, Jonathan Underwood <[EMAIL PROTECTED]> wrote:
> On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> > That helps. If it is stalled, that means that scp (ssh, in fact) still
> > thinks that the connection is open. That must mean that shorewall
On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> On Fri, May 25, 2007 at 05:25:15PM +0100, Jonathan Underwood wrote:
> >
> > I should also add that, if when the scp is in the stalled state as
> > described above, I log into the server (withnail) and comm
On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> That helps. If it is stalled, that means that scp (ssh, in fact) still
> thinks that the connection is open. That must mean that shorewall is in
> fact stopping the packets. Of course, this is strange, since I also
> have ssh rate limi
On 25/05/07, Jonathan Underwood <[EMAIL PROTECTED]> wrote:
> On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> > On Fri, May 25, 2007 at 04:39:10PM +0100, Jonathan Underwood wrote:
> > > On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
&
On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> On Fri, May 25, 2007 at 04:39:10PM +0100, Jonathan Underwood wrote:
> > On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> > > On Fri, May 25, 2007 at 02:54:52AM +0100, Jonathan Underwood wro
On 25/05/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> On Fri, May 25, 2007 at 02:54:52AM +0100, Jonathan Underwood wrote:
> >
> > SSH/ACCEPT net $FW - - -
> > - 3/min:3 -
> >
> > Now when I have t
Hi,
I have a very simple server setup, using shorewall as my firewall. I
have a line like this at the top of my rules file to allow ssh
connections, but limited to 3 connection per minute with a burst rate
of 3:
SSH/ACCEPT net $FW - - -
- 3/min:3
19 matches
Mail list logo
