Tom Eastep wrote: > Andrew Suffield wrote: >> >> I do notice this, which is interesting: >> >> Chain net2fw (1 references) >> pkts bytes target prot opt in out source >> destination >> 216 17116 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 4 276 ACCEPT tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:22 limit: avg 3/min burst 3 >> >> Why *four* new ssh connections? That'll certainly have hit the rate >> limit, but where did the other three come from? > > They are INVALID (both NEW and INVALID go through the rules) and are > silently dropped in Drop.
Note that if the ACCEPT rule has no 'limit' then the INVALID packets are accepted and the problem magically goes away. But because these packets occur regularly, they eventually exhaust any imposed 'limit' and the connection then stalls. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
