Re: conntrack-tools and Session syncing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote:

>  That works as expected. If e.g. I ping from an inside server to somewhere
>  outside, ICMP request leaves via router2, the answer comes back via
>  router1. conntrack -e on router1 shows this session (as unreplied), BUT
> the firewall blocks it as new connection - that means iptables does not
> recognize conntrackd's addition to the session table.

First off if you have traffic leaving one router and coming back on another 
router that is Asynchronous routing and is not a good thing, as you are 
seeing.

Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going to 
block this traffic as it was setup to do.  Firewall 1 is thinking this is a 
new connection.

Since I don't know your setup my question is;

1. how many Internet connections do you have?
2. does router 2 have a valid public ip on the interface connecting to the 
Internet?


-- 

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux