Hello, Interesting. Do you think it's anything to do with chaining the three FW's? Are you sure you don't have any back-door for the first SYN to by-pass the "outer" FW, so the SYN,ACK is being considered as unrelated? Ramin On Tue, Aug 12, 2003 at 03:38:40PM +0200, Tom Van Overbeke wrote: > Hi, > > > I'm faced with an environment where there are 3 iptables firewalls directly > connected to one another. I have a few servers on one end, that need to talk > to servers on the other end of the 3 firewalls. (we use fwbuilder to > maintain the firewalls). > > normally, i have no problems adding stateful rules to enable/disable > traffic, but in this case, i seem to either have hit a bug, or maybe a > limitation of iptables ??? > > > my case: > > i need to have a server talk to our backup server via an agent. we know > which ports the backup app uses, and have before succesfully changed our > firewall to enable backups on previous occasions. > > now, with 3 firewalls in between, i thought i could just use the exact 3 > rules and put them on each firewall, and it should work. > > > but ... it doesn't. on one of the outer firewalls, i see that the session > setup packets (ACK SYN bits are set) is being blocked. > > > i had already solved a similar problem (with big brother) by doing it the > 'ipchains' way, that is creating a rule for the traffic in each direction, > and disabling the 'statefulness' of the rule. obviously, i'm not too happy > with this solution, so I'd thought i ask you guys if the connection tracking > might have problems with multiple firewalls chained together ? > > > > thx, > > > Tom. > > > > > > **************************************************************************** > Disclaimer: > This electronic transmission and any files attached to it are strictly > confidential and intended solely for the addressee. If you are not > the intended addressee, you must not disclose, copy or take any > action in reliance of this transmission. If you have received this > transmission in error, please notify the sender by return and delete > the transmission. Although the sender endeavors to maintain a > computer virus free network, the sender does not warrant that this > transmission is virus-free and will not be liable for any damages > resulting from any virus transmitted. > Thank You. > **************************************************************************** >
