I wrote:> Basically, I see the packet comes in on the external
> interface, but it gets rejected by Shorewall as a badpkt.
> It''s like it''s forgetting the NAT for packets coming back
> from the eBay webservers. The end result is that Mozilla
> dies instantly. Rather annoying.
From: "Cowles, Steve"
<Steve@SteveCowles.com>> I would try setting your external interface to logunclean instead=20
> of dropunclean ...
Bingo. I did have dropunclean on. Now changed. I expect it to help.
> From: Tom Eastep <teastep@shorewall.net>
> On Mon, 9 Sep 2002, Jonathan Manning wrote:
> > >> The packet logs look like the following:
> > >> Sep 7 02:06:18 fw0 kernel: Shorewall:badpkt:DROP:IN=3Deth0
OUT=3Deth1
> > >> SRC=3D216.33.156.119 DST=3D192.168.1.2 LEN=3D40 TOS=3D0x00
PREC=3D0x00
> > >> TTL=3D112 ID=3D35361 PROTO=3DTCP SPT=3D80 DPT=3D1797
WINDOW=3D0 RES=3D0x00
> > >> ACK URGP=3D0
>
> This is what one gets for setting ''dropunclean'' on the
external interface
> -- I recommend against it because it results in this sort of problem.
Can you put this recommendation in a more visible place than here in the=20
mailing list archives?
I could not find this caution mentioned anywhere in the docs. (I did have the=20
same OPT 8 problem occasionally as well under 2.4.18-3. I''m running=20
2.4.18-10, now, btw.)
I finally found your recommendation (and a good explanation of what''s
going on=20
in http://www.shorewall.net/pipermail/shorewall-users/2002-May/001235.html ).
I don''t mean to be flip, but if the packet is "unclean"
because of some=20
intervening broken TCP/IP stack, why isn''t *my* TCP/IP stack dropping
it and=20
requesting a re-transmit of the packet? Isn''t that the entire point of
the=20
TCP/IP protocol - to eliminate broken, missing, mangled, and dropped packets=20
in the communications sequence? Or am I missing something deep and technical=20
here?
Is there a way to configure the kernel / netfilter to request re-transmits of=20
packets tagged "unclean"? Or is the problem we''ve already
ACKed it by the=20
time we figure out it''s unclean?
I realize this may be more appropriate to ask the netfilter folks, so shoo me=20
off if you think I should ask there.
I appreciate the explanations, and Tom - you should be enjoying your
vacation,=20
not answering email!
Mike808/