Re: kernel-image-2.6-k7 and Shorewall firewall

On Wed, 30 Jul 2008, Steven Jan Springl wrote:

On Wednesday 30 July 2008 16:41, Account for Debian group mail wrote:
Hello,

We just did an upgrade on one of our etch servers. It installed a bunch
of new updates including a kernel-image 2.6.18-6-k7. This computer is
running the Shorewall Firewall. Everything seemed to be working OK till we
tried to ping the server.

The firewall is set to let in pings every second:
From "rules" file inside shorewall - this has always worked:

ACCEPT net $FW icmp 8 - -
1/sec

What iptables-save shows:
-A net2fw -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT

Should work!

What syslog shows:
Jul 30 08:12:19 spare kernel: Shorewall:net2fw:DROP:IN=eth0 OUT=
MAC=00:14:2a:4a:3c:cf:xx:xx:xx:25:1c:00:08:00 SRC=20x.10x.xxx.11
DST=20x.10x.xxx.38 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=32799 SEQ=8
(numbers change to protect the innocent)

I change the "rules" file to:

ACCEPT net $FW icmp 8 - -

so it just accepts pings and it works just fine.

Seems like something has changed in this new kernel-image. Is it possible
that 1 second in the iptables stuff is no longer 1 second? Do I need to
decrease or increase the time limit? Anyone else run into this? I would
still like to limit the ping rates.

Thanks,

Ken
Ken

I have just tried this with the updated 2.6.18-6-k7 kernel, but I cannot
re-create your problem.

Steven.

Steven,

Thanks for the reply. I went and configured Shorewall back the way it was
and now it works fine. I rebooted the server and still it works the way
it should. I know what it was doing and the logs prove me out. So all I
can think now is that it is an intermittent problem - great.

Again thanks for checking it out on your end.

Ken


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • RE: NATD server problem on 5.3 ?
    ... > Can it ping PCs on the LAN? ... > Can a win LAN PC ping the server? ... > Have you tested with firewall out of the way by having only single ... To unsubscribe, ...
    (freebsd-questions)
  • Re: kernel-image-2.6-k7 and Shorewall firewall
    ... We just did an upgrade on one of our etch servers. ... Seems like something has changed in this new kernel-image. ... still like to limit the ping rates. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • kernel-image-2.6-k7 and Shorewall firewall
    ... We just did an upgrade on one of our etch servers. ... Seems like something has changed in this new kernel-image. ... still like to limit the ping rates. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Debian resolves unkown hosts to itself
    ... But when I ping va.med.gov from the same server, it seems to resolve to the public ip of the box Im pinging from. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)
  • Debian resolves unkown hosts to itself
    ... But when I ping va.med.gov from the same server, it seems to resolve to the public ip of the box Im pinging from. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)