Displaying 14 results from an estimated 14 matches for "ip_conntrack_tcp_be_liberal".
2006 Mar 17
32
[Bug 443] 2.6 kernel failing in NAT with significant outbound traffic
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443
------- Additional Comments From nothingel@hotmail.com 2006-03-17 20:07 MET -------
sorry for the delay...I'll check this out hopefully first of next week.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug,
2006 Jul 15
15
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
...e numbers not adjusted
Whatever device you are behind (upstream) isn't adjusting the SACK sequence
numbers approrpriately. Unless you control that upstream device, you have only
two options:
- disable TCP window tracking in conntrack in the firewall:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
- disable SACK support on all of your machines behind the firewall:
echo 0 > /proc/sys/net/ipv4/tcp_sack
Joerg: awaiting example from a non-braindead site.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: ----...
2005 Feb 03
8
SMB Problem
I''m having a problem where transferring files accross our IPsec gateway
to another host on a remote network is failing. I see no packets being
rejected in the logs.
Attached is a packet trace, showing the problem. In this case,
10.100.0.0/24 is the local network and 10.100.14.0/24 is the remote
network. The trace was taken on the local gateway.
In the trace, there is a set of TCP
2005 Feb 02
1
Shorewall 2.0.16
...kets based on
TCP Window analysis. This can cause packets that were previously
classified as NEW or ESTABLISHED to be classified as INVALID.
The new kernel code can be disabled by including this command in
your /etc/shorewall/init file:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
Additional kernel logging about INVALID TCP packets may be
obtained by adding this command to /etc/shorewall/init:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
Traditionally, Shorewall has dropped INVALID TCP packets early. The
new DROPINVALID option allo...
2016 Oct 04
13
[Bug 1087] New: Window Tracking not disabled
...i,
I have been conducting testing and I noticed that Window Tracking does not
appear to be disabled on a per connection level upon receipt.
Kernel: 4.1.17
Version: v1.4.3
To Replicate:
First ensure Configuration contains "TCPWindowTracking Off"
Ensure that /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal is set to
"0"
Sync'ed connections out of window will fail. I tested this by triggering a BGP
PoP switch.
Then Set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to "1".
It now works.
--
You are receiving this mail because:
You are watching all bug changes.
---...
2004 Dec 11
0
Shorewall 2.2.0 Beta 8
...e packets that were
previously classified as NEW or ESTABLISHED to be classified as
INVALID.
The new kernel code can be disabled by including this command in
your /etc/shorewall/init file:
echo 1
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
Additional kernel logging about INVALID TCP packets may be
obtained by adding this command to /etc/shorewall/init:
echo 1
> /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
Traditionally, Shorewall has dropped INVALID TC...
2006 Oct 22
0
firewall dropping legitimate packets
...cally the only relevant rule.
I also have this rule to log dropped packets at the end of FORWARD chain:
-A FORWARD -j LOG --log-prefix "FORWARD "
Every time the download stalls, I see bunch of packets belonging to that
download logged as dropped.
If I set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1,
it seems to solve the problem. Being liberal on firewall machine
usually is not a good thing, so I'm not particularly happy with this
solution. Googling around I found this posting on Netfilter-devel list:
http://www.opensubscriber.com/message/netfilter-devel at lists.netfilter.org/...
2007 Mar 26
0
Re: Expected handling of [SYN] when expecting[SYN, ACK]?
...dropping them as invalid. You can see if that is happening by
echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
modprobe ipt_LOG
If you see packets being logged (they are logged on any console), then
you can try manipulating
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose and
ip_conntrack_tcp_be_liberal.
I''ve taken a quick look and didn''t find the documentation for those so
you''ll have to do the Google search.
The Shorewall-generated netfilter ruleset can also silently drop packets
through it''s ''Default Actions'' (see
http://www.shorewall.net/...
2006 Feb 08
15
[Bug 443] 2.6 kernel failing in NAT with significant outbound traffic
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443
------- Additional Comments From nothingel@hotmail.com 2006-02-08 05:35 MET -------
I also, the situation described in bug ID 322 seemed related and I tried the
patch from Phil Oester but it did not make a difference.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving
2007 Mar 23
1
Expected handling of [SYN] when expecting [SYN, ACK]?
Hi,
I''ve been developing a peer-to-peer application, and have recently been
trying to add STUNT
(http://www.cis.nctu.edu.tw/~gis87577/xDreaming/XSTUNT/Docs/XSTUNT%20Ref
erence.htm) to allow firewall/NAT traversal. I got a box with Shorewall
to use for testing, and am now trying to work out whether Shorewall is
actually designed to prevent such connections? I notice in the FAQs that
2004 Dec 05
28
state INVALID
Having moved from a "cascading LANs" configuration to two independent LANs
on eth0 and eth1, I still get some "state INVALID" for which I am not sure
what the cause is. Can somebody help me understand its probable origin?
Thanks,
Costantino
[see attachment]
2007 Apr 10
2
policy routing with two shorewalls
I have, for the time being, decided to split my dual ISP/single
shorewall connection into two shorewall connections/boxes, each handling
one ISP.
I am running OSPF in the network and so far things are working out
fairly well (from a client of the two gateways).
$ ip route ls
10.33.66.2 via 10.75.22.199 dev eth0 proto zebra metric 20
192.168.200.1 via 10.75.22.254 dev eth0 proto zebra metric
2007 May 25
49
Problem with ssh limit and scp stalling
Hi,
I have a very simple server setup, using shorewall as my firewall. I
have a line like this at the top of my rules file to allow ssh
connections, but limited to 3 connection per minute with a burst rate
of 3:
SSH/ACCEPT net $FW - - -
- 3/min:3 -
Now when I have that in place, and from a remote machine run scp
server:/some/file ., I find
2007 Mar 04
13
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552
------- Additional Comments From cbettero@ciditech.it 2007-03-04 21:48 MET -------
This problem prevents AJAX web sites to be hosted on the internal web server,
because many packets will be dropped instead of passing into PREROUTING chain...
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email