Here is the firewall-builder file, the rules are within, I hope this is, what you wanted. It's not SVN over http but over https. I don't know exactly, how SVN works. But still if iptables detected it as DoS - why was the server accessible from some computers, and from some not (it was not accessible e.g. from my computer who didn't have any connections to the server)? Regards, Claudia -----Ursprüngliche Nachricht----- Von: jengelh@xxxxxxxxxxxxxxxxxxxxxxxxx im Auftrag von Jan Engelhardt Gesendet: Do 27.11.2008 13:11 An: IKA SysAdmin Cc: netfilter-devel@xxxxxxxxxxxxxxx Betreff: Re: iptables cut specific connections when lots of files are commited via subversion On Thursday 2008-11-27 09:53, IKA SysAdmin wrote: >Hi there, >I had a problematic experience with iptables and thought, you might be interested. >regards, Claudia I'd be interested in the ruleset. >iptables added (created with firewall builder 3), only certain >networks have access on the port 443, some on the samba shares on >the server and some on the ssh port, everything else is closed down. >cronjob, that refreshed the firewall builder iptables all 15min. >(*/15 * * * * /bin/sh /etc/firewall/IkaFw.fw > /dev/null) svn >clients mostly with tortoise over https port > >Problem with subversion: > >* commits and updates worked, but only with few files. As soon as > somebody commited lots of files, the connection got lost. >* to make it more problematic, the https port was not available > anymore from at last two subnets (one of them outside the virtual > network of the campus), but it was still available from within the > same subnet as the server is and from another subnet outside the > virtual network of the campus >* on the server everything looked fine, httpd running, no errors in > logfiles - but it wasn't accessible from all networks anymore >* after a reboot of the server, everything worked again - until > somebody committed lots of files again >* after trying some things, I stopped iptables and we were able to > commit lots of files >* also the flushing of the iptables helped - for one big commit, > afterwards the server wasn't accessible anymore from most of the > outside networks Must have been your cron script reloading the ruleset. >* The use of the sambashare didn't produce any errors, we were able > to load lots of heavy files on that share. That's because SVN over http issues, I believe, one request per file. If it does not use HTTP pipelining, that means one connection per file. Which is likely to be detected as a DoS attack. Hooray for svn -.-
Attachment:
IkaFw.fw
Description: IkaFw.fw
