search for: ip_conntrack_tcp_be_liberal

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443 ------- Additional Comments From nothingel@hotmail.com 2006-03-17 20:07 MET ------- sorry for the delay...I'll check this out hopefully first of next week. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug,

...e numbers not adjusted Whatever device you are behind (upstream) isn't adjusting the SACK sequence numbers approrpriately. Unless you control that upstream device, you have only two options: - disable TCP window tracking in conntrack in the firewall: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal - disable SACK support on all of your machines behind the firewall: echo 0 > /proc/sys/net/ipv4/tcp_sack Joerg: awaiting example from a non-braindead site. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ----...

I''m having a problem where transferring files accross our IPsec gateway to another host on a remote network is failing. I see no packets being rejected in the logs. Attached is a packet trace, showing the problem. In this case, 10.100.0.0/24 is the local network and 10.100.14.0/24 is the remote network. The trace was taken on the local gateway. In the trace, there is a set of TCP

...kets based on TCP Window analysis. This can cause packets that were previously classified as NEW or ESTABLISHED to be classified as INVALID. The new kernel code can be disabled by including this command in your /etc/shorewall/init file: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal Additional kernel logging about INVALID TCP packets may be obtained by adding this command to /etc/shorewall/init: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid Traditionally, Shorewall has dropped INVALID TCP packets early. The new DROPINVALID option allo...

...i, I have been conducting testing and I noticed that Window Tracking does not appear to be disabled on a per connection level upon receipt. Kernel: 4.1.17 Version: v1.4.3 To Replicate: First ensure Configuration contains "TCPWindowTracking Off" Ensure that /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal is set to "0" Sync'ed connections out of window will fail. I tested this by triggering a BGP PoP switch. Then Set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to "1". It now works. -- You are receiving this mail because: You are watching all bug changes. ---...

...e packets that were previously classified as NEW or ESTABLISHED to be classified as INVALID. The new kernel code can be disabled by including this command in your /etc/shorewall/init file: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal Additional kernel logging about INVALID TCP packets may be obtained by adding this command to /etc/shorewall/init: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid Traditionally, Shorewall has dropped INVALID TC...

...cally the only relevant rule. I also have this rule to log dropped packets at the end of FORWARD chain: -A FORWARD -j LOG --log-prefix "FORWARD " Every time the download stalls, I see bunch of packets belonging to that download logged as dropped. If I set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1, it seems to solve the problem. Being liberal on firewall machine usually is not a good thing, so I'm not particularly happy with this solution. Googling around I found this posting on Netfilter-devel list: http://www.opensubscriber.com/message/netfilter-devel at lists.netfilter.org/...

...dropping them as invalid. You can see if that is happening by echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid modprobe ipt_LOG If you see packets being logged (they are logged on any console), then you can try manipulating /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose and ip_conntrack_tcp_be_liberal. I''ve taken a quick look and didn''t find the documentation for those so you''ll have to do the Google search. The Shorewall-generated netfilter ruleset can also silently drop packets through it''s ''Default Actions'' (see http://www.shorewall.net/...

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443 ------- Additional Comments From nothingel@hotmail.com 2006-02-08 05:35 MET ------- I also, the situation described in bug ID 322 seemed related and I tried the patch from Phil Oester but it did not make a difference. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving

Hi, I''ve been developing a peer-to-peer application, and have recently been trying to add STUNT (http://www.cis.nctu.edu.tw/~gis87577/xDreaming/XSTUNT/Docs/XSTUNT%20Ref erence.htm) to allow firewall/NAT traversal. I got a box with Shorewall to use for testing, and am now trying to work out whether Shorewall is actually designed to prevent such connections? I notice in the FAQs that

Having moved from a "cascading LANs" configuration to two independent LANs on eth0 and eth1, I still get some "state INVALID" for which I am not sure what the cause is. Can somebody help me understand its probable origin? Thanks, Costantino [see attachment]

I have, for the time being, decided to split my dual ISP/single shorewall connection into two shorewall connections/boxes, each handling one ISP. I am running OSPF in the network and so far things are working out fairly well (from a client of the two gateways). $ ip route ls 10.33.66.2 via 10.75.22.199 dev eth0 proto zebra metric 20 192.168.200.1 via 10.75.22.254 dev eth0 proto zebra metric

Hi, I have a very simple server setup, using shorewall as my firewall. I have a line like this at the top of my rules file to allow ssh connections, but limited to 3 connection per minute with a burst rate of 3: SSH/ACCEPT net $FW - - - - 3/min:3 - Now when I have that in place, and from a remote machine run scp server:/some/file ., I find

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-04 21:48 MET ------- This problem prevents AJAX web sites to be hosted on the internal web server, because many packets will be dropped instead of passing into PREROUTING chain... -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email