similar to: [Bug 400] connection tracking does not work on VLANs if underlying interface is a bridge

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400 ------- Additional Comments From pila@pilasecurity.com 2006-06-08 10:03 MET ------- I had the same trouble yesterday. It's very useful to have vlan over bridges. Think this situation: 1- You have a cluster of firewall 2- You have a DMZ net with two switches for redundancy 3- You have two nic on your firewall to connect to each

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=318 ------- Additional Comments From kaber@trash.net 2006-01-28 17:29 MET ------- Please execute"echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid" after loading ipt_LOG and post the results. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554 ------- Additional Comments From kaber@trash.net 2007-03-15 02:53 MET ------- Most likely these packets are considered invalid by connection tracking and therefore not handled by NAT. Try this: iptables -t mangle -A POSTROUTING -m state --state INVALID -j DROP -- Configure bugmail:

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-04 21:48 MET ------- This problem prevents AJAX web sites to be hosted on the internal web server, because many packets will be dropped instead of passing into PREROUTING chain... -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=443 ------- Additional Comments From nothingel@hotmail.com 2006-02-08 05:35 MET ------- I also, the situation described in bug ID 322 seemed related and I tried the patch from Phil Oester but it did not make a difference. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving

Hello, I''m stuck IPSECing my wireless network at home and would appreciate any comments. I appologize in advance if I''m wasting your time with trivia - I''m not a professional and staring at the problem for days from various angles hasn''t done me any good ... My home server/firewall (morannon) is hooked up through an USB to ethernet adapter (eth1) to my DSL

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=570 kaber@trash.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From kaber@trash.net 2007-05-26

Dear tinc community, I am using tinc in switch mode. I have three nodes. Two nodes reside on routers, vpn-eth is bridged with internal lan, each router has several machines connected to it's internal lan. Third node is the roadwarrior - "endpoint" linux PC. When the roadwarrior is off - everything works perfectly, machines on both sides can communicate without a problem in any

Hello, i have got a problem with the configuration of an roadwarrior ipsec VPN tunnel with shorewall 2.2.3. I read the Shorewall Kernel 2.6 IPSEC and folowed the instructions to that point where to modify the hosts with the folowing parameters: vpn eth0:0.0.0.0/0 ipsec But i have got an entry like net eth0:0.0.0.0/0 even in the same file: If i

Tom, After reading your latest postings, I am correct in understanding that, even with the netfilter-ipsec and policy patches in kernel 2.6, I still would not be able to connect more that one roadwarrior at a time? Mitch

While I have concentrated on support for 2.6 native IPSEC in release 2.2.0, I am still of the opinion that unless you absolutely need IPSEC compatibility that OpenVPN is a much easier (and in the case of roadwarriors, a much better) solution. Having already generated all of the required X.509 certificates, it took me less than 1/2 hr to replace my IPSEC testbed with an OpenVPN one using the new

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511 ------- Additional Comments From kaber@trash.net 2006-09-15 06:42 MET ------- So you're saying the problem is that the receiver updates its window multiple times without receiving any data in between, thereby falsely triggering the "dead-peer detection" (as you call it)? -- Configure bugmail:

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=460 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From laforge@netfilter.org

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=531 kaber@trash.net changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|laforge@netfilter.org |kaber@trash.net ------- Additional Comments From kaber@trash.net 2007-01-11 19:00 MET ------- Very nice catch. I guess it

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=479 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter@linuxace.com ------- Additional Comments From netfilter@linuxace.com 2006-06-28 02:57 MET ------- Tom - did

>From your post on Oct. 4, 2004 >As I announced earlier, I''m on vacation this week and we are spending >the week at our second home. Before I left, I simulated an IPSEC tunnel >between this house and our home in the Seattle area and I''m pleased to >announce that the real tunnel works flawlessly. > >So I believe that I have done all of the testing that I can

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=503 siqhamo@newlunar.co.za changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are

Is there a "cookbook" for setting this up? There are examples for setting up a tunnel between two fixed-address networks (e.g. a remote LAN that needs to be "integrated" with a central LAN over IPSec but I can't find anything addressing the other situation -- remote user(s) where the connecting IPs are not known in advance, such as a person with a laptop or smartphone in a

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=507 kaber@trash.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From kaber@trash.net 2006-08-29

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=549 ------- Additional Comments From kaber@trash.net 2007-02-25 22:58 MET ------- > When ip_conntrack_pptp / ip_nat_pptp modules are loaded in addition to ftp ones, the oops happens in one of the latter two modules. I'm not sure I understand. ip_conntrack shouldn't be unloadable while these modules are still loaded, so how