Hello, I have been using shorewall for a long time now. I find it a great piece of software and I am looking forward to the IPv6 version that Tom is planning to start working on. I do however have a problem now that I do not seem to be able to solve. On my firewall system I have a Fedora Core 2 installation with Shorewall (2.0.13) running fine with kernel 2.6.6-1.435.2.3. When I however use a new kernel like the latest 2.6.10-1.9_FC2, I do not seem to have any TCP connectivity. Ping and DNS seem to work correctly, but no TCP traffic seems to fail silently. TCPdump shows packets leaving the firewall, but I never see any response. The box is connected by ADSL through a pptp tunnel. I have however noticed something similar on another box, over a vtun tunnel. In that case I have also been able some time ago to do some tracing with some funny results: I recall seeing some checksum errors, but the results were not consistent on different remote systems. I have seen that I can make connections after a shorewall clear on both machines. I am at a loss how to continue.... The info requested on the support page is included in an attachment (info). I also included a tar file with the config files I use (config.tar.gz). I assume it is just some silly mistake I made, but I just cannot spot it. Your help is very much appreciated. kind regards, Louis -- Louis Lagendijk <louis@lagendijk.xs4all.nl>
Louis Lagendijk wrote:> > I have seen that I can make connections after a shorewall clear on both > machines. > > I am at a loss how to continue.... >Me too. Please carefully compare the output of "ip addr ls" on a working kernel and on one that doesn''t work. See any differences? Please verify that if you simply boot with an earlier kernel then everything works without making any configuration changes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Louis Lagendijk wrote: > >> >> I have seen that I can make connections after a shorewall clear on both >> machines. >> >> I am at a loss how to continue.... >> > > Me too. > > Please carefully compare the output of "ip addr ls" on a working kernel > and on one that doesn''t work. See any differences? > > Please verify that if you simply boot with an earlier kernel then > everything works without making any configuration changes. >As a wild guess, you might try commenting out the entry in /etc/shorewall/ecn. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > As a wild guess, you might try commenting out the entry in > /etc/shorewall/ecn. >I''ve just confirmed that the ECN target with --tcp-ecn-remove seems to be broken in recent 2.6 kernels. As Louis suggested, the kernel is not correctly re-calculating the checksum. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Tom Eastep wrote: > >> >> As a wild guess, you might try commenting out the entry in >> /etc/shorewall/ecn. >> > > I''ve just confirmed that the ECN target with --tcp-ecn-remove seems to > be broken in recent 2.6 kernels. As Louis suggested, the kernel is not > correctly re-calculating the checksum. >Ref: http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/017931.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2005-01-16 at 11:40 -0800, Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > > > >> > >> As a wild guess, you might try commenting out the entry in > >> /etc/shorewall/ecn. > >> > > > > I''ve just confirmed that the ECN target with --tcp-ecn-remove seems to > > be broken in recent 2.6 kernels. As Louis suggested, the kernel is not > > correctly re-calculating the checksum. > > > > Ref: > > http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/017931.html > > -TomTom, It works! Removing the ECN entry did the trick Tom, you continue to amaze me. How in the world did you trap this? Thanks! Louis -- Louis Lagendijk <louis@lagendijk.xs4all.nl>