Tom, They are great, I followed your instructions and additionally the blacklisting of the nf_conntrack_snmp module solved the problem. I used "fake install" to blacklist the module.
Thanks and have a nice weekend. Regards Walter Hofstädtler -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:teas...@shorewall.net] Gesendet: Mittwoch, 29. Juli 2020 00:54 An: shorewall-users@lists.sourceforge.net Betreff: Re: [Shorewall-users] nf_ct_snmp: dropping packet: parser failed On 7/28/20 12:07 PM, Walter Hofstädtler wrote: > Matt, > >>> Did you change the back end before restarting SW? > How to change the backend? Please elaborate. > >>> What is the value of 'RESTART=' in shorewall.conf? > RESTART=restart > > Minutes ago I did this test: > > 1. Switched to iptables-legacy: > $ update-alternatives --config iptables > 1 enter > > 2. rebootet the server > > Unfortunately this did not solve the issue, all snmp packets dropped. > I don't believe that this is a Shorewall issue at all. Shorewall simply loads nf_nat_smmp_basic (which in turn loads nf_conntrack_snmp). This may be overridden by: a) Listing nf_nat_smmp_basic in the DONT_LOAD setting in shorewall.conf. b) Listing the helpers that you do want loaded in the HELPERS setting. c) Set AUTOHELPERS to no. You may also need to blacklist nf_conntrack_snmp (See https://wiki.debian.org/KernelModuleBlacklisting). -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users