Hi folks, I have 2 firewalls, setup with Centos 5.2. They are also routers, connected to 2 upstream routers. I have some cases where connections from servers to the internet leave my network via router2 and answers come back via router1. So I added conntrack tools to both routers/firewalls to synchronize the session tables (using ftfw procotol). That works as expected. If e.g. I ping from an inside server to somewhere outside, ICMP request leaves via router2, the answer comes back via router1. conntrack -e on router1 shows this session (as unreplied), BUT the firewall blocks it as new connection - that means iptables does not recognize conntrackd's addition to the session table. Seems that I have a conceptional misunderstanding here - but I do not find anything that could be wrong. Could somebody please help? I am stuck. Any hint or help is appreciated. Dirk
On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote:> That works as expected. If e.g. I ping from an inside server to somewhere > outside, ICMP request leaves via router2, the answer comes back via > router1. conntrack -e on router1 shows this session (as unreplied), BUT > the firewall blocks it as new connection - that means iptables does not > recognize conntrackd's addition to the session table.First off if you have traffic leaving one router and coming back on another router that is Asynchronous routing and is not a good thing, as you are seeing. Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going to block this traffic as it was setup to do. Firewall 1 is thinking this is a new connection. Since I don't know your setup my question is; 1. how many Internet connections do you have? 2. does router 2 have a valid public ip on the interface connecting to the Internet? -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org