On Thursday 2008-11-27 09:53, IKA SysAdmin wrote: >Hi there, >I had a problematic experience with iptables and thought, you might be interested. >regards, Claudia I'd be interested in the ruleset. >iptables added (created with firewall builder 3), only certain >networks have access on the port 443, some on the samba shares on >the server and some on the ssh port, everything else is closed down. >cronjob, that refreshed the firewall builder iptables all 15min. >(*/15 * * * * /bin/sh /etc/firewall/IkaFw.fw > /dev/null) svn >clients mostly with tortoise over https port > >Problem with subversion: > >* commits and updates worked, but only with few files. As soon as > somebody commited lots of files, the connection got lost. >* to make it more problematic, the https port was not available > anymore from at last two subnets (one of them outside the virtual > network of the campus), but it was still available from within the > same subnet as the server is and from another subnet outside the > virtual network of the campus >* on the server everything looked fine, httpd running, no errors in > logfiles - but it wasn't accessible from all networks anymore >* after a reboot of the server, everything worked again - until > somebody committed lots of files again >* after trying some things, I stopped iptables and we were able to > commit lots of files >* also the flushing of the iptables helped - for one big commit, > afterwards the server wasn't accessible anymore from most of the > outside networks Must have been your cron script reloading the ruleset. >* The use of the sambashare didn't produce any errors, we were able > to load lots of heavy files on that share. That's because SVN over http issues, I believe, one request per file. If it does not use HTTP pipelining, that means one connection per file. Which is likely to be detected as a DoS attack. Hooray for svn -.- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
