Re: [Shorewall-users] Problem with ssh limit and scp stalling

Sat, 26 May 2007 07:47:24 -0700 

On Sat, May 26, 2007 at 06:43:26AM -0700, Tom Eastep wrote:
> >> We'll also need the output of 'shorewall dump' (I don't think you
> >> posted that yet). Follow #3 on http://shorewall.net/support.htm
> >>
> > 
> > But this bit I have just done. I restarted shorewall with rate
> > limiting in the ssh rule, on the server, and on my local machine tried
> > to scp a file from the server to local machine, which stalled. While
> > it was stalled (i.e. I didn't ctrl-c out) i did a dump, the result of
> > which is attached.
> > 
> > I'll work on getting useful tcpdump/wireshark output from the server.

> b) You are getting a lot of INVALID state packets.

Which leads me to suspect that we're looking at a clusterfuck
here. Hypothesis: something *else* is wrong, and is breaking TCP
connections at intervals. Under normal circumstances, some kind of
error recovery manages to get the connection going again, and the
problem is not so pronounced that you've noticed it before
(particularly given scp's highly inaccurate reporting of the transfer
rate, which tends to hide jitter). However, with the rate limit in
place, it's somehow blocking that from happening. There's no evidence
to back this up, but it's the first thing I've been able to think of
which explains what could be going on.

I do notice this, which is interesting:

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
  216 17116 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        state RELATED,ESTABLISHED 
    4   276 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        tcp dpt:22 limit: avg 3/min burst 3 

Why *four* new ssh connections? That'll certainly have hit the rate
limit, but where did the other three come from?

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to