similar to: Re: iptables rule not matching after stream begins

Hi, I''m having problems with this configuration: iptables 1.3.7 (vanilla or repackaged for fc5) kernel 2.6.19 (vanilla) ROUTE 1.11 (last pom-ng) layer7-filter 2.6 (last in sf.net) connlimit (last pom-ng) When I try to use -j ROUTE in any chain in mangle table I have this error: [root@myhost ~]# iptables -v -t mangle -A POSTROUTING -p tcp --dport msnp -j ROUTE --gw

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=68 ------- Additional Comments From laforge@netfilter.org 2003-03-20 10:55 ------- This looks strange. The BUG in slab.c tells us that there is a GFP_ATOMIC missing. This means that we are allocating kernel memory from softirq context with only GFP_KERNEL. If I understand your backtrace correctly, what happens is: - you are

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

Hi Guys, I''m trying to compile IMQ with kernel-2.4.26 and iptables-1.2.9 and I want to know is this procedure is correct: ---------------------------------------- - In Kernel 2.4.26 Directory (/usr/src/linux) # cd /usr/src/linux # wget http://www.linuximq.net/patchs/linux-2.4.24-imq.diff # patch -p1 < linux-2.4.24-imq.diff - In Patch O Matic Directory

Hi, I''ve been wondering if anyone has thought of a way to differentiate between an established http download and interactive http traffic? I would like to give interactive http traffic priority over someone downloading large files. Has anyone any ideas how to detect packets that are part of a download like this? Thanks. _______________________________________________

I''ve rebuilt my old P-II/233 with Debian Sarge and it is now serving as my main firewall. It is running a home-built 2.6.9 kernel with the ipsec-netfilter and policy match patches. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \

Hello, I''m stuck IPSECing my wireless network at home and would appreciate any comments. I appologize in advance if I''m wasting your time with trivia - I''m not a professional and staring at the problem for days from various angles hasn''t done me any good ... My home server/firewall (morannon) is hooked up through an USB to ethernet adapter (eth1) to my DSL

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=490 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter@linuxace.com Status|NEW |RESOLVED Resolution|

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!, I''d like to know how to set up shorewall to deny a user-defined action in a time-based basis, for example, I have a group of users using MSN, AOL, www and https, in a defined action called action.BasicAccess now, I want this access to be enabled only on lunch time from Monday through Friday and weekends from noon to 6pm... I know

Hi all I am using a pass trhu router and I need to QoS some clients output by its IP address. The problem is that QoS is due after NATing. Is there some clever way of doing this besides MARKing every packet with some IP hashing in POSTROUTING NAT table? Regards Ethy

Hello I''ve setuped a bridge with l7-filter and ipp2p. We have every day + or - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers. When traffic increase. I''ve got this kind of error message : Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet. The server is celeron

Hello! I need assistance to solve my problem related to traffic shaping based on the user ids. The problem: each unix user (of the linux host) has to be limited with incoming channel (internet) bandwidth. I need this to implement internet access solution based on ltsp (http://www.ltsp.org). As far as I know the best way to shape traffic in linux is CBQ. But there is no filter based on unix

Hi all. On Sep 26th I decided to try and get ipp2p working on my machine that acts as a gateway for my Internet connection. This machine is running Debian. I performed the install by doing the following steps: - I installed the Debian package called linux-source-2.6.22 for my Linux kernel source and unpacked the resulting tar.bz2 file. - From the netfilter.org site I downloaded the following

I don''t think this has anything to do with Shorewall but I am not too familiar with iptables stuff yet so I''m not sure. Running Shorewall shorewall-1.4.9 on Mandrake Linux release 9.2 (FiveStar) for i586 Kernel 2.4.22-37mdk. Run "nmap -sP 192.168.x.x/24" (for example), where 192.168.x.x/24 is the LAN. You can do this from a firewall/router, or even from a

Has anyone been successful at using the TARPIT target in iptables under CentOS 4? I am using CentOS 4.3, fully updated with iptables-1.2.11-3.1.RHEL4 and kernel-2.6.9-34.107.plus.c4 Doing a locate on TARPIT returns: # locate TARPIT /lib/iptables/libipt_TARPIT.so This makes me think that the TARPIT target would be valid, however when I try to use it, I get the following reponse: # iptables

Is the 192.168.1.2 an ip on the router? If yes, you''ll have to mark in OUTPUT, not PREROUTING, also, after you set up the rules and routes, did you an ip route flush cache ? I hope these works On Wed, 21 Jul 2004 20:02:32 -0700, Jens <jens@pacificsun.ca> wrote: > I have a particular problem that has caused me grief for some time now and > even though the answer is probably

Hi All, Just joined the list to try and solve a problem. To show that I''ve read the rules I''ll start with the requested info os linux kernel-2.4.27 with latest netfilter pom for gre and pptp conntrack etc iptables is 1.3.0 - downloaded and compiled with the pom stuff and the 2.4.27 kernel shorewall version shorewall-2.2.1-2 from rpm ip addr show [root@squid3 root]# ip addr

Hi All, Does anyone know of a way to limit the speed of *individual* TCP sessions, but without placing any overall bandwidth limits, and without requiring an explicit QoS entry for every ip address the machine is communicating with ? The scenario is a mailserver - say you want to limit individual TCP sessions (pop3, smtp etc) to no more than 512Kbit so that an individual session

I am working on a split route and ShoreWall system. I reviewed the lartc documentation but have a few areas that I still need help on. Here is my network: 64.xxx.xxx.1/25 66.xxx.xxx.129/26 | | ################################################# # Eth2 64.xxx.xxx.2 eth0 66.xxx.xxx.130 # #

Hi. there is a way to MARK udp VOIP (SIP) traffic, in order to put in a highest prio class ? Traffic flow seems start on udp 5060 port, but next both server and client seems jump to a random(?) port. I can''t use CONNMARK because is udp traffic. I only see a pattern for L7 patch in order to SIP traffic identification , but I run 2.4 kernel series . When you patch 2.4 kernel with