Hi, I am using Shorewall on my home router and it runs fine. I just have one problem when my ppp0 interface IP address is changed. My internal (LAN) interface is br0 and the internet interface is ppp0 which is a DSL connection to my ISP. All internal traffic is masquaraded to the ppp0 IP address when reaching internet. Whenever, the dsl connection is lost or shutdown intentionally, I begin to have problems with my nat connections. Especially if the connection is UDP based. For example, when I check the "shorewall show connections" output I still see that my Asterisk server is still sending the SIP messages to the internet with previous ppp0 IP address. If I shutdown the LAN interface and wait for 5 minutes, and then re-up the LAN interface, the connection becomes refreshed with the new ppp0 IP address. But 5 minutes is a long time. How can I force the active nat connections to be reset whenever my ppp0 is down/up ? Thanks, ilker ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Hi, I am using Shorewall on my home router and it runs fine. I just have one problem when my ppp0 interface IP address is changed. My internal (LAN) interface is br0 and the internet interface is ppp0 which is a DSL connection to my ISP. All internal traffic is masquaraded to the ppp0 IP address when reaching internet. Whenever, the dsl connection is lost or shutdown intentionally, I begin to have problems with my nat connections. Especially if the connection is UDP based. For example, when I check the "shorewall show connections" output I still see that my Asterisk server is still sending the SIP messages to the internet with previous ppp0 IP address. If I shutdown the LAN interface and wait for 5 minutes, and then re-up the LAN interface, the connection becomes refreshed with the new ppp0 IP address. But 5 minutes is a long time. How can I force the active nat connections to be reset whenever my ppp0 is down/up ? Thanks, ilker ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Sorry; I was just going to ask again, if there is any idea about my problem... On 4/28/08, Mekabe Ramein <mrmrmrmr@gmail.com> wrote:> > Hi, > > > > I am using Shorewall on my home router and it runs fine. I just have one > > problem when my ppp0 interface IP address is changed. > > My internal (LAN) interface is br0 and the internet interface is ppp0 > which > > is a DSL connection to my ISP. > > All internal traffic is masquaraded to the ppp0 IP address when reaching > > internet. > > Whenever, the dsl connection is lost or shutdown intentionally, I begin to > > have problems with my nat connections. > > Especially if the connection is UDP based. > > > > For example, when I check the "shorewall show connections" output I still > > see that my Asterisk server is still sending the SIP messages to the > > internet with previous ppp0 IP address. > > > > If I shutdown the LAN interface and wait for 5 minutes, and then re-up the > > LAN interface, the connection becomes refreshed with the new ppp0 IP > > address. > > But 5 minutes is a long time. How can I force the active nat connections > to > > be reset whenever my ppp0 is down/up ? > > > > Thanks, > > ilker > > >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Mekabe Ramein wrote:> Sorry; I was just going to ask again, if there is any idea about my > problem...If you have a choice, then I would encourage you to get a different ISP. Yours is telling you that "We are going to disrupt your service at regular intervals and there is nothing that you can do about it". That''s nonsense. If that isn''t an option, then there is a Netfilter utility called "conntrack". Not all distributions include the program so you may have to build it from source. It has a command to purge the conntrack table; run it from your /etc/ppp/ip-up.local file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> > If that isn''t an option, then there is a Netfilter utility called > "conntrack". Not all distributions include the program so you may have > to build it from source. It has a command to purge the conntrack table; > run it from your /etc/ppp/ip-up.local file.The command is: conntrack -F -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Thank you. Unfortunately in Turkey we don''t have much choice for ADSL provider. I will try the utility you suggested. But I get the following error when I issue the command: router:~# conntrack -F nfnl_talk: sendmsg(netlink) Connection refused Operation failed: sorry, you must be root or get CAP_NET_ADMIN capability to do this router:~# I am root , so ? On 4/28/08, Tom Eastep <teastep@shorewall.net> wrote:> > Tom Eastep wrote: > > > > > If that isn''t an option, then there is a Netfilter utility called > > "conntrack". Not all distributions include the program so you may have to > > build it from source. It has a command to purge the conntrack table; run it > > from your /etc/ppp/ip-up.local file. > > > > The command is: > > conntrack -F > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Thanks. I tried the conntrack utility but I get the following error when I issue the command: # conntrack -L Operation failed: sorry, you must be root or get CAP_NET_ADMIN capability to do this When I search this , it seems that I need a module named "ip_conntrack_netlink". Is that true ? If so, how can I install it ? Regards.>>>Tom Eastep Mon, 28 Apr 2008 08:10:19 -0700 Tom Eastep wrote: If that isn''t an option, then there is a Netfilter utility called "conntrack". Not all distributions include the program so you may have to build it from source. It has a command to purge the conntrack table; run it from your /etc/ppp/ip-up.local file. The command is: conntrack -F -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Mekabe Ramein wrote:> Thanks. I tried the conntrack utility but I get the following error when > I issue the command: > > # conntrack -L > Operation failed: sorry, you must be root or get CAP_NET_ADMIN > capability to do this > > When I search this , it seems that I need a module named > "ip_conntrack_netlink". > > Is that true ? If so, how can I install it ?You install it the same way that you installed conntrack. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
ok; but my "aptitude search ip_conntrack_netlink" command does not find any package. On 4/29/08, Tom Eastep <teastep@shorewall.net> wrote:> > Mekabe Ramein wrote: > > > Thanks. I tried the conntrack utility but I get the following error when > > I issue the command: > > > > # conntrack -L Operation failed: sorry, you must be root > > or get CAP_NET_ADMIN capability to do this > > > > When I search this , it seems that I need a module named > > "ip_conntrack_netlink". > > > > Is that true ? If so, how can I install it ? > > > > You install it the same way that you installed conntrack. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Mekabe Ramein wrote:> ok; but my "aptitude search ip_conntrack_netlink" command does not find > any package.Don''t use such a specific search! Search for ''conntrack'' -- at least in Gutsy, that search in Synaptic lists libnetfilter-conntrack1 and libnfnetlink0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
I''ve already installed what I could find with search "conntrack" Unfortunately the problem exists. Somebody suggested me to make a distribution upgrade because my Debian was Sarge. Now I am upgrading to Lenny. Do you think it might solve the problem ? Thanks On 4/29/08, Tom Eastep <teastep@shorewall.net> wrote:> > Mekabe Ramein wrote: > > > ok; but my "aptitude search ip_conntrack_netlink" command does not find > > any package. > > > > Don''t use such a specific search! > > Search for ''conntrack'' -- at least in Gutsy, that search in Synaptic lists > libnetfilter-conntrack1 and libnfnetlink0. > > -Tom > -- >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Mekabe Ramein wrote:> Now I am upgrading to Lenny. > Do you think it might solve the problem ?Using Synaptic on Etch, I installed conntrack (which also installed a couple of more packages) and it worked fine. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone