| |
| |
| |
|
Comments:
<0> I'm getting a lot of iptables matches on 'INVALID' state for TCP packets with the ACK and FIN bits set, anyone know why this would be matching?
<1> hi
<1> I got an entry in my firewall log
<1> the src addrss is 0.0.0.0
<1> the dest is 255.255.255.255
<1> can someone tell me where is this connection came form
<1> from
<2> DHCP
<2> it's also UDP 67 -> 68
<1> so can I safely either drop it or not let it show up in the log
<1> I am using static ip
<2> I do no routine logging at all. I only log for specific temporary purposes. Logging your drop/rejects can DoS you.
<1> thanks. BTW DoS = ?
<2> denial of service
<3> an ancient operating system of M$. See: http://en.wikipedia.org/wiki/Denial-of-service_attack
<2> :)
<3> i've been too slow :)
<1> and is there an easy way to drop DHCP packet or I need to type in 0.0.0.0 and 255.255.255.255 in the src and dst address field in my rule
<4> it looks like connection tracking for IPv6 through a tunnel interface is still broken. Can anyone tell me what the problem is? Where should I report this bug?
<5> danieldg: bugzilla.netfilter.org ?
<6> ryan`: could be if there is no socket for that packet with the FIN and ACK flag set
<4> anyone know if "kernel: ***ERT: CPU #0, filter comefrom(f8a61090) = 2" has anything to do with iptables? It appeared in my syslog when I ran ip6tables-restore
<7> gug
<8> gug
<9> gug
<8> hi hidden
<10> hi laforge
<10> laforge: is there a known problem with using iptables with a mips 2.6.x kernel that you are aware of?
<11> gug
<9> gugr Octavian
<8> jeez, it seems like TI actually modified ipt_REJECT to send HTTP back!
<9> LaF0rge: cool, what a nice feature :)
<8> hidden: bang!
<12> as long as it looks good in IE i dont see the problem ;-)
<13> LaF0rge: hehe
<13> LaF0rge: it implements the three way handshake and then sends an http reply back?
<9> LaF0rge: ouch! :)
<8> gandalf: I think it does, yes. I don't have the sources yet
<13> LaF0rge: heh
<8> <html><head><meta http-equiv="content-type" content="text/html;charset=ISO-8859-1"><title>Web Site Blocked</title><style type="text/css">A{text-decoration:none}</style><body bgcolor=black text=white><br><br><br><table border=0 width=100%><tr height=25><td bgcolor=red></td></tr><tr><td><br><center><H2>Web Site Blocked</H2><br></td></tr><tr height=25><td bgcolor=red></td></tr></table></head></html>
<8> Server: ADSL Router
<8> you can even configure whether it should respect tcp csums ?
<8> they also invented ipt_PNAT
<8> which seems to do nat based on some config that you write into /proc
<13> heh
<13> weird people
<8> mh: Linux version 2.6.9-relook400 (tarvalds@www.kernel.arg)
<14> ahhh! which version of libnetfilter_conntrack is compatible with 2.6.16-rc3?
<14> is there any other way to flush the conntrack table?
<8> cirrus: I would use latest svn
<13> LaF0rge: they changed the spelling of torvalds? or did you type it in manually? :)
<8> no, they changed it
<8> also note the '.arg'
<15> heh, why did they do it?
<8> who knwos
<14> ah no! I noted the wrong oops offset. I found a reproducible netfilter crash in 2.6.16-rc3
<14> unfortunately it's our company's firewall, and I won't reboot it _yet_ another time today :(
<13> cirrus: hor do you provoke the crash? using libnetfilter_conntrack ?
<14> it crashes while booting.
<13> isch
<14> doing nothing except setting up firewall
<14> it gets a lot of traffic, since it's our router
<14> I reverted to 2.6.15 now, to keep the net alive
<14> but if you're interested: it happend in some function called by xfrm4_output(), i.e. netfilter postrouting
<14> hm ... wait... could be xfrm4_output_finish
<13> cirrus: you should probably blame kaber if it's xfrm and netfilter related :)
<13> cirrus: maybe it's just xfrm related...
<14> my first thought it was netfilter because this function calls netfilter code
<14> but the "last" caller was one instruction after call 0xc030e5eb <xfrm4_output_finish>
<13> I saw that patrick just sent an xfrm and netfilter patch to netdev and davem applied it, but I'm not sure if that's in 2.6.16-rc3
<8> kaber mentioned some important netfilter/ipsec fix a couple of days ago on the phone, that might have been for this problem
<14> these ipsec+netfilter fixes were the reason I decided to put rc3 on my firewall
<14> reading patches ..
<9> it's not present in -rc3
<9> I mean you should maybe try applyint Patrick's patch on top of -rc3, as it has not been merged to Linus' tree yet
<14> hm? I thought that was all there is in -rc3
<9> cirrus: I mean this one: http://marc.theaimsgroup.com/?l=linux-netdev&m=113985186130954&w=2
<14> Hidden: I've seen so many patches in the past year which aimed to fix ipsec+nat ...
<14> I'm even more confused about libnf_conntrack, the most current release works with neither 2.6.15 nor 2.6.16-rc3 :(
<9> cirrus: yes, it's a kinda' neverending story
<14> all these patches just changed some behaviour and forced me to change my configuration
<14> but none of them worked
<14> ahhhhh! libnetfilter-conntrack from svn trunk won't configure without g++
<14> nothing netfilter related seems to work today
<8> cirrus: ouch
<8> i don't really understand why
<8> cirrus: what's the error message?
<8> cirrus: and please file it to bugzilla.netfilter.org
<14> configure: error: C++ preprocessor "/lib/cpp" fails sanity check
<14> grrr and this conntrack entry won't disappear because the remote host won't stop sending me udp packets
<14> i.e. the new DNAT rule will never apply
<14> until reboot.
<9> cirrus: if you have NOTRACK then you can try adding a NOTRACK rule so that the UDP conntrack entry will die
<14> my new 2.6.16-rc3 kernel had this compiled in, but I had to revert to the old .15 kernel due to crashes
<14> is there really no way to flush the conntrack table, except with the "conntrack" tool which won't work?
<9> maybe ifdown ethX; sleep 180; ifup ethX
<9> but I think this is not an option for you :)
<14> yeah. libnetfilter_conntrack.c:1238: error: `CTA_EXPECT_QUEUENR' undeclared (first use in this function)
<14> no, this is not an option - 60 people will be very unhappy
<14> they are already quite unhappy since netfilter bugged me so much today
<14> I fail to find a definition for CTA_EXPECT_QUEUENR in any of my sources.
<14> wohoo! echo 2 > ./net/ipv4/netfilter/ip_conntrack_udp_timeout
<14> now this is dirty
<8> cirrus: CTA_EXPECT_QUEUENR is defined in include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
<8> builds like a charm here
<8> ah. now i see. you run autogen.sh
<8> ;)
<8> do a 'svn revert include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h' after autogen.sh
<14> I'll wait for a "working" release of all that. I wanted this tool today only for deleting this one conntrack entry, which I've achieved by this workaround...
<8> well, it was supposed to be working all the time
<8> unless you report bugs, it will never get better
Return to
#netfilter
or
Go to some related
logs:
#php
ircnet The Warlords
#linux
modules-assistant install
KInterbasDB+escaping
ubuntu ATI Technologies, Inc. Rage 128 Pro Ultra TF
free kqemu
#linux
gentoo 915gm xorg no matching device section for instance
compwiz gnome
|
|