Andrew Suffield wrote: > On Sat, May 26, 2007 at 06:43:26AM -0700, Tom Eastep wrote: >>>> We'll also need the output of 'shorewall dump' (I don't think you >>>> posted that yet). Follow #3 on http://shorewall.net/support.htm >>>> >>> But this bit I have just done. I restarted shorewall with rate >>> limiting in the ssh rule, on the server, and on my local machine tried >>> to scp a file from the server to local machine, which stalled. While >>> it was stalled (i.e. I didn't ctrl-c out) i did a dump, the result of >>> which is attached. >>> >>> I'll work on getting useful tcpdump/wireshark output from the server. > >> b) You are getting a lot of INVALID state packets. > > Which leads me to suspect that we're looking at a clusterfuck > here. Hypothesis: something *else* is wrong, and is breaking TCP > connections at intervals. Under normal circumstances, some kind of > error recovery manages to get the connection going again, and the > problem is not so pronounced that you've noticed it before > (particularly given scp's highly inaccurate reporting of the transfer > rate, which tends to hide jitter). However, with the rate limit in > place, it's somehow blocking that from happening. There's no evidence > to back this up, but it's the first thing I've been able to think of > which explains what could be going on. > > I do notice this, which is interesting: > > Chain net2fw (1 references) > pkts bytes target prot opt in out source > destination > 216 17116 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > state RELATED,ESTABLISHED > 4 276 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:22 limit: avg 3/min burst 3 > > Why *four* new ssh connections? That'll certainly have hit the rate > limit, but where did the other three come from?
They are INVALID (both NEW and INVALID go through the rules) and are silently dropped in Drop. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
