Alexander Wilms wrote: > Hi Martin, > > this reminds me of a FTP conntrack problem I had with Xen a while ago. > It's related to the common Xen checksum offload problem. > First FTP port packet has incorrect checksum and is dropped. Then the resent > packet is ignored by the ftp_conntrack module and doesn't get masq'ed. E > voila, you have your internal address in the port command. > > Diagnosis: run tcpdump -vv (or even better wireshark) on the involved > interfaces and you'll see a lot of invalid checksums > > Solution: disable tx-checksumming on ALL interfaces (ethtool -K <device> tx > off).
Hi Alexander, Voila! That did it. Now it works. I ran # ethtool -K <device> tx off ... on the firewalls both network interfaces as well as on the FTP server network interface. Big thanks to you, Andrew and Tom for your time and input. Tom, I think this is something for the documentation. /Martin Leben ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
