Displaying 20 results from an estimated 2000 matches similar to: "conntrack entries established before nat"
2013 Nov 21
14
openvpn restart fails with dual entry in conntrack and wrong sourceport
the establishment of an openvpn link sometimes fails.
I tracked it down to network traffic with wrong Sourceport in the answer
packet (should be 1300 not 1024):
2 1.119309000 aaa.185.165 bbb.162.192 UDP 58 Source port: 1300
Destination port: 1300
3 1.119446000 bbb.162.192 aaa.185.165 UDP 66 Source port: 1024
Destination port: 1300
and a collateral entry in the connection tracking table
2003 Feb 14
6
[Bug 49] TCP conntrack entries with huge timeouts
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=49
------- Additional Comments From laforge@netfilter.org 2003-02-14 08:39 -------
what patches from patch-o-matic do you use? Do you know how to reproduce this
behaviour?
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
2004 Oct 13
4
Connection tracking on non-masqueraded interfaces.
I don''t think this has anything to do with Shorewall but I am not too
familiar with iptables stuff yet so I''m not sure.
Running Shorewall shorewall-1.4.9 on Mandrake Linux release 9.2 (FiveStar)
for i586 Kernel 2.4.22-37mdk.
Run "nmap -sP 192.168.x.x/24" (for example), where 192.168.x.x/24 is the LAN.
You can do this from a firewall/router, or even from a
2008 Aug 10
1
conntrack-tools and Session syncing
Hi folks,
I have 2 firewalls, setup with Centos 5.2. They are also routers, connected
to 2 upstream routers.
I have some cases where connections from servers to the internet leave my
network via router2 and answers come back via router1. So I added conntrack
tools to both routers/firewalls to synchronize the session tables (using
ftfw procotol).
That works as expected. If e.g. I ping from
2012 Oct 16
1
Trouble with tftp
I''m trying to enable tftp traffic initiated from our dmz network to our
internal network. I have:
TFTP(ACCEPT) dmz loc:10.10.10.1
in /etc/shorewall/rules, and:
oadmodule nf_conntrack_tftp
in /etc/shorewall/modules.
The module is loaded and I do see some entries come and go, e.g.:
udp 17 10 src=4.28.99.164 dst=10.10.10.1 sport=2071 dport=69 [UNREPLIED]
2004 Aug 30
3
[Bug 98] state ESTABLISHED allow ipip tunnels
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=98
netfilter@linuxace.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter@linuxace.com
Status|ASSIGNED |RESOLVED
Resolution|
2006 Aug 03
28
[Bug 498] RTP packets are not hitting NAT table
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=498
cfilin@intermedia.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chip@innovates.com
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are
2006 Jul 21
6
Quick Question on [UNREPLIED] in the state tables
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have a situation where some Poptop/PPTP sessions (only with FC5/Shorewall to FC5/Shorewall firewall in between) cause the following to appear in the state table (shorewall show connections).
unknown 47 420 src=XX.234.79.183 dst=XX.234.137.226 packets=2 bytes=130 [UNREPLIED] src=XX.234.137.226 dst=XX.234.79.183 packets=0 bytes=0 mark=0 use=1
[Bug 1123] New: conntrackd will not accept connection records into kernel table from another machine
2017 Feb 16
3
[Bug 1123] New: conntrackd will not accept connection records into kernel table from another machine
https://bugzilla.netfilter.org/show_bug.cgi?id=1123
Bug ID: 1123
Summary: conntrackd will not accept connection records into
kernel table from another machine
Product: conntrack-tools
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: major
Priority: P5
2003 Aug 19
1
[Bug 105] Connection tracking table full, no new connections accepted
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=105
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |LATER
------- Additional Comments From
2009 Oct 23
9
sip/iax problem - udp conntrack entries not getting destroyed
Hello all,
I have an asterisk sip/iax peer behind a linux gateway doing nat. I''m using
pppoe with a dynamic ip that changes frequently.
The problem is when the line drops the sip/iax registrations drop as well,
and they don''t register thereafter. When I check the conntrack entries, I
noticed the entries still have the old wan ip address and because of
keepalive (i''m
2013 Aug 06
3
[Bug 839] New: SNAT66 does not work for bidirectional UDP
https://bugzilla.netfilter.org/show_bug.cgi?id=839
Summary: SNAT66 does not work for bidirectional UDP
Product: netfilter/iptables
Version: unspecified
Platform: x86_64
OS/Version: Gentoo
Status: NEW
Severity: normal
Priority: P5
Component: NAT
AssignedTo: netfilter-buglog at lists.netfilter.org
2019 Jun 26
4
iptables - how to block established connections with fail2ban?
I am working to a CentOS 6 server with nonstandard iptables system
without rule for ACCEPT ESTABLISHED connections. All tables and chains
empty (flush by legacy custom script) so only filter/INPUT chain has
rules (also fail2ban chain):
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-postfix tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all --
2017 Mar 28
2
SipVicious scans getting through iptables firewall - but how?
My firewall and asterisk pjsip config only has "permit" options for my
ITSP's (SIP trunk) IPs.
Here's the script that sets it up.
--------------------------------------------------
#!/bin/bash
EXIF="eth0"
/sbin/iptables --flush
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m
2017 Apr 11
2
connection state tracking with DNS [was Primary DNS...]
Hi, I would like to see this addressed.
I found more information on the issue at
https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html
Is there a firewalld solution to this issue?
On 04/11/2017 11:05 AM, Chris Adams wrote:
> One additional DNS server note: you should disable firewalld for any DNS
> server, caching or authoritative. If you need firewalling, use
2017 Sep 18
0
[Bug 1183] New: need options to output UNREPLIED connections
https://bugzilla.netfilter.org/show_bug.cgi?id=1183
Bug ID: 1183
Summary: need options to output UNREPLIED connections
Product: conntrack-tools
Version: unspecified
Hardware: x86_64
OS: Fedora
Status: NEW
Severity: enhancement
Priority: P5
Component: conntrack
Assignee:
2020 Nov 20
4
Desktop Over NFS Home Blocked By Firewalld
On Fri, Nov 20, 2020 at 12:18 PM Frank Cox <theatre at sasktel.net> wrote:
>
> On Fri, 20 Nov 2020 12:07:40 -0500
> Michael B Allen wrote:
>
> > So TCP src 760 to 41285. What's that?
>
> Apparently "that" is what you need to allow in order for your desktop to work.
>
> What it is actually doing, I'm not sure. Google tells me that port 760 has
2004 Jun 28
5
iproute and shorewall
Hi,
I got a problem with iproute and shorewall but I don''t know where the real
problem is yet, perhaps someone can shed any light on this one.
What we currently do is route all traffic coming from a specific host through
our second isp''s nat router. This is done via SNAT on our own router.
/etc/shorewall/masq:
eth2 $INTERNALHOSTA 192.168.0.142
We now
2004 Oct 18
11
how can i log everything?
hi,
it''d be very useful to add some kind of "log everything" option to
shorewall. currently the logging is useful if you know what you would
like to log. but if you don''t know than it''s a problem...
another problem that currently it''s not possible to log the nat table.
at least i can''t find any way (can''t add logging into masq and
2006 Jul 15
15
[Bug 464] state match sometimes failes RELATED,ESTABLISHED matches
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=464
------- Additional Comments From netfilter@linuxace.com 2006-07-15 18:38 MET -------
Jurgen: you are behind a box which doesn't understand the SACK option. From
your trace:
02:52:32.237095 IP 134.76.88.65.11064 > 84.132.150.225.32805: P
237274514:237275954(1440) ack 372631662 win 181 <nop,nop,timestamp 229942196