Jonathan Underwood wrote: > > So if I understand you (Tom) correctly, this is an issue with the > network the server is on, or the firewall it is behind that is causing > problems with certain server firewall configurations? [Just in case > that's a confusing sentence, here we have been debugging a shorewall > generated firewall, but the machine that firewall is on is behind a > LAN firewall allowing ssh connections through to the server in > question] > > I realize at this point it is probably clear that this is no bug with > shorewall, but I wonder if you might have any suggestion about how I > would go about finding what is causing all of those INVALID packets.
The problem is caused by 'out-of-window' packets. So to totally analyze the problem, you may have to capture: a) The SCP stream on the outer interface of the other firewall. b) The SCP stream on the outer interface of the Shorewall box. c) Invalid connection state packets (I sent instructions earlier). Once you find out which packets are being dropped (c), then you can compare those packets in (a) and (b) to see if the other firewall is mangling them. If not, then you need to send (b) and (c) to the netfilter developers for analysis. tcp_be_liberal (which you are setting) turns off Netfilter window-tracking except for RST packets so you will need to turn of tcp_be_liberal while tracking this down. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
