On Fri, 2002-10-25 at 20:45, Julian Anastasov wrote: > > Hello, > > On Fri, 25 Oct 2002, Arthur van Leeuwen wrote: > > > > Now I see, then the TOS is a big problem for you. May > > > be your problem will be solved if TOS is not a routing key but > > > it does not sound as a thing that is easy to fix in kernel. > > > > Actually, you can simply play whack-a-mole with the TOS value, using > > ipchains (or iptables), killing all TOS values present on the packets. > > Ofcourse, this is not very *nice*, but it'll work. > > This is a good idea. Vincent, may be you can play with > ipchains -t AND XOR in the input chain to see what happens. Just make sure > you don't touch bits 0, 1, 5, 6, 7. It seems the routing uses only bits > 2, 3 and 4 for routing key (if I'm not overlooking something). > This is for kernel 2.4. For kernel 2.2 it seems bit 1 is also > included in the routing key. > > 2.4 mask 0x1C, inverted 0xE3 > 2.2 mask 0x1E, inverted 0xE1 > > So, for 2.2 may be: > > ipchains -I input -d 0.0.0.0/0 22 -t 0xE3 0x00 Just tried. Now SSH connections don't break anymore !!! :) Thanks ! Am I suppose to do this on both side, or doing this on the firewall itself is enough ? > > What are the TOS values used during the SSH session? Right after authentication, TOS value is set to 0x10 20:53:46.515566 192.168.0.2.ssh > 172.1.1.3.2418: R 4008315859:4008315859(0) win 0 [tos 0x10] The only problem with this, is that I will need to do this trick for any applications changing it's TOS during the session. It seems that FTP behaves exactly the same way as SSH, regarding the TOS field. Do you guys know if many applications do this ? Or is this just particular to SSH & FTP ? Anyway, I really would like to understand why it doesn't work when doing NAT. A big thanks to both of you. I've learned a lot today :) Thanks again. Regards, Vincent. > > Regards > > -- > Julian Anastasov <ja@ssi.bg> -- Vincent Jaussaud Kelkoo.com Security Manager email: tatooin@kelkoo.com "The UNIX philosophy is to design small tools that do one thing, and do it well." _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
