Tom Eastep wrote: > Tom Eastep wrote: >> Andrew Suffield wrote: >>> I do notice this, which is interesting: >>> >>> Chain net2fw (1 references) >>> pkts bytes target prot opt in out source >>> destination >>> 216 17116 ACCEPT all -- * * 0.0.0.0/0 >>> 0.0.0.0/0 state RELATED,ESTABLISHED >>> 4 276 ACCEPT tcp -- * * 0.0.0.0/0 >>> 0.0.0.0/0 tcp dpt:22 limit: avg 3/min burst 3 >>> >>> Why *four* new ssh connections? That'll certainly have hit the rate >>> limit, but where did the other three come from? >> They are INVALID (both NEW and INVALID go through the rules) and are >> silently dropped in Drop. > > Note that if the ACCEPT rule has no 'limit' then the INVALID packets are > accepted and the problem magically goes away. But because these packets > occur regularly, they eventually exhaust any imposed 'limit' and the > connection then stalls.
Until Jonathan finds and corrects the root cause, a workaround would be
to precede his Limit/(ACCEPT...limit) rule with:
allowInvalid net fw tcp 22
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
