| |
| |
| |
|
Comments:
<0> 2.6.16 out ey ...
<0> i havent tried ... last snapshot i used was iptables v1.3.4-20060121
<0> with Linux version 2.6.15.1
<0> michal`: yes ...
<0> very possible specially if kernel config is very different from the stock installed on your system, would have been linked against an older iptables version
<0> alhtough ... in most cases it does work (for me) although hidden: is on the right track, 2.6.16 is still in testing ...
<1> Hi, is there a way to clean up full contracck table, something like: If connectio_table > 1000000 entries, then cleam; ?
<2> bryndza: use the new conntrack tool
<1> Regit can you be more conrete ?
<2> conntrack -F ;-)
<1> this ? http://www.netfilter.org/projects/conntrack/index.html
<1> it only works with 2.6.14 > kernels, but we were unable to set up our router with 2.6.14 or 2.6.15 kernel or anything higher
<1> Hmm.. when i am here, i ask another question
<1> Recently I had a problem with kernel 2.6.15 with VLAN and iptables with IMQ and HTB shaper on 1gbit NIC
<1> without the IMQ anf shaper was everithing ok
<1> when starting IMQ device on first TC rule, the kernel paniced
<1> is this a netfilter or kernel issue ?
<3> rob0: next tiem please check before you say anything
<3> hard__ware: i have told that iptables was compilled against current kernel
<3> and there is nothing like a stock kernel config
<3> thank you for beeing so helpful
<4> .ignore michal`
<3> so, anybody with a bit of netfilter internals knowledge here ?
<3> iptables -L -> ERROR: 0 not a valid target Aborted
<3> i _have_ this aligment patch
<3> x86 32 bit
<3> and once again 'cause it looks like reading can be hard sometimes
<3> iptables 1.3.4--20060126 compiled against 2.6.16-rc1-git4
<5> michal`: the alignment patch davem included in the kernel is broken, you have to revert it and apply the one Harald sent to the netfilter-devel list
<5> michal`: or just revert the davem patch if you are using an x86 machine
<5> on at least x86 it should work fine without the patch
<3> Gandalf_: i had kernel with that broken patch, aplied harald's one and its working (found yesterday on lkml)
<3> Gandalf_: i'd like to look at pkttables out of curiosity, where do i find libiptables ?
<0> michal`: it available from the netfilter ftp site ...
<3> cannot find it somehow
<0> really ??? brb
<3> yep. if you could gimme link... ;)
<0> sorry i was mistaken for libnetfilter*
<0> pkttables and everything else is there ... is it a dependency of pkttables ?
<3> pkttables would like me to give it libnfnetlink (which i have found) and libiptables (i do nto know here to look for it)
<0> michal`: tried CVS yet ?
<0> well what has been now SVN for prolt quite some time .. lol
<0> hmm ok i cant see it on there ... maybee it has been Frozen ?
<3> hard__ware: yep it is not in the svn
<6> sam_mdv: envoie moi un message
<7> hello all
<7> have a little problem with nat and ftp pasv :/
<7> friend of me has an iptables nat with behind it an ftpserver
<7> incoming -> 2121 -> nat + port redirect -> ftpserver port 21
<7> tried to load ip_conntrack_ftp ports=2121 and ip_nat_ftp ports=2121
<7> and added prerouting DNAT port 2121 to ftpserver internal address port 21
<7> but still unable to make a connection, not sure what i've missed ...
<5> Gh0sty: are you able to log in but not list the directories?
<7> yes
<5> Gh0sty: are you allowing state RELATED packets in the FORWARD chain?
<7> oh crap
<8> :>
<5> :)
<9> gug
<7> hm
<7> stil doesn't fix it :/
<7> but that was a good point ...
<5> it should work, always has for me
<5> hi Hidden
<9> hi Gandalf_
<5> Hidden: still cold in .hu ?
<9> Gandalf_: no, it's gradually getting warmer and warmer
<9> Gandalf_: -5 during the night and +2 tomorrow
<9> Gandalf_: way better than last week's -18, -10 combination :)
<9> uh, I've missed Jamal...
<5> missed jamal? was he in .hu?
<9> no, but forgot to reply to his mail before he sent the patches to netdev :)
<5> heh
<9> Jamal and me had some brainstorming over ipsec state synchronization a couple of months ago
<9> and finally he had time to do some tests and patches
<9> I would have had some comments on those patches, but failed to reply in time to Jamal
<5> :(
<7> OMFG
<7> this beats it all
<7> searching for half an hour what could be wrong with my iptables rules ...
<7> then my friends says he has windows firewall enabled
<9> :)
<7> i'm gonna beat the crap outta him ...
<5> heh
<7> now it works once he has turned it off :p
<7> hmmm ...
<7> probably in windows vista the'll just implement it themselves
<7> just like everything else they publish as "new"
<7> stuff like mapping drives (symbolic links anyone?) tabbed browsing (firefox anyone?)
<4> Gh0sty: yeah, one of the first things I do when troubleshooting Windows connectivity is to have them turn off the firewall, it works most of the time. :)
<7> yeah, i totally forgot
<7> else i would've suggested that too
<4> The first tabbed browser I saw was Opera. But, that doesn't invalidate your point.
<5> rob0: especially if it's the firewall in the norton internet security crap
<4> ugh
<5> I've never seen a decent firewall in windows
<4> Well, some default iptables rulesets are no better. "service iptables stop" answers about 71.8% of the questions on comp.os.linux.networking :)
<5> and none of them can produce logs that have any value
<5> if anyone builds default rulesets that blocks outgoing connections they should be shot, because that's what the crappy windows firewalls ends up doing
<5> blocking everything not established or related on input as default should be ok for a desktop machine
<4> I have a rule of thumb for people asking here and on the netfilter mailing list: if you don't know how to implement an OUTPUT DROP policy (i.e., you are asking how), you shouldn't do it. :)
<5> :)
<5> most of the problems I get from windows users is that their firewall is blocking outgoing port 53, 80, 110 packets for some reason, or that the firewall makes all connections really slow
<7> dno, the windows firewall supplied with SP2 doesn't have that behavior of slowing down
<7> the rest does that indeed
<7> you don't mention it that much on a slow pc
<7> uh on a fast pc
<7> but on a slow pc you notice it a lot ...
<5> believe me, sometimes those firewalls break down horribly even on fast machines
<7> hm, scewing up sentences ...
<7> you don't notice it that much on fast pc i meanth *
<7> thats why i have iptables on my ftpserver with gigabit :)
<5> iptables is slow as well :)
<7> get a 45MB/s out of it :)
<5> conntrack is also slow
<7> slow?
<5> compared to not having any firewall :)
<7> dunno, never noticed any real slow downs ...
<4> My first encounter with needing a Windows was about a month ago, in a motel w/wifi, /dev/wife's laptop got hit with some winpopup spam. :)
<4> We both are usually behind iptables at home. I had her download a firewall and I whipped up some rules for my laptop.
<7> well same here ...
<7> never really have any problems at home ...
Return to
#netfilter
or
Go to some related
logs:
ncftpput debian
#lisp
#web
AUtOIT bracket
#php
sed newline delete
masked by: -amd64 keyword
#css
lisp for mobile phones
is hotplugging PCMCIA safe Ubuntu
|
|