Tom Eastep wrote: > Jonathan Underwood wrote: >> On 26/05/07, Andrew Suffield <[EMAIL PROTECTED]> wrote: >> >>> tcpdump -w just saves the traffic to a file. Saving the wireshark >>> capture does exactly the same thing, it's just easier to install >>> tcpdump; either way will work fine. Posting the captures so we can >>> look at it is probably the only thing left to do at this point, given >>> how bizarre this problem is. >>> >>> Remember - it's important to get a capture of the *same* session from >>> all the interesting points (at least the server, client, and both >>> interfaces of the firewall). >>> >> OK, I'll need a bit of time to do this... >> >>> We'll also need the output of 'shorewall dump' (I don't think you >>> posted that yet). Follow #3 on http://shorewall.net/support.htm >>> >> But this bit I have just done. I restarted shorewall with rate >> limiting in the ssh rule, on the server, and on my local machine tried >> to scp a file from the server to local machine, which stalled. While >> it was stalled (i.e. I didn't ctrl-c out) i did a dump, the result of >> which is attached. >> >> I'll work on getting useful tcpdump/wireshark output from the server. > > A couple of things. > > a) You are using the RATE LIMIT column of the rules file to limit SSH. > That is *not* recommended. Rather, we prefer the 'Limit' built-in > action. The former limits the total number of connections from all > sources while the latter is per-IP. So your observation that there was > nothing in /proc/.../ipt_recent is correct; with your ruleset, there > will *never* be anything there. > > b) You are getting a lot of INVALID state packets. You might try adding > this to your /etc/shorewall/init file: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal >
You can cause Netfilter to display invalid state packets that it drops
with this command
echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
modprobe ipt_LOG
Warning: This will log to all terminal console sessions!
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
