Re: Traffic going out wrong interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 26, 2003 at 12:21:05PM -0400, Chris Brenton spoke thusly:

>What I found weird was that there is no legitimate "communication" reason
>for the legal NAT address to be ARPing for the private NAT address, at
>least not that I can think of. Also, I don't *think* this is 
>a "ARP being seen off of all interfaces" problem, as I would expect to see
>ARPs for the external gateway on the internal network if it was and I
>never see these. Its always the legal NAT to private NAT address.

Yes. That would be odd. That said, I've personally seen these ARPs on all
interfaces issue cause odd (*) packet drops when we were debugging our
firewall previously. At that time, I was rather daft and had both the
internal & external ethernet cables plugged into the same 10Mbit hub.

(*) Odd until we figured out the problem. Its been documented on this
    netfilter list a couple of times also.

>>Are you running 'tcpdump' on the firewall/routing device itself ? I think a
>>number of us have noticed rather odd things in regards to snat/dnat
>>addresses when running tcpdump on the firewall itself.
>
>Hummm. I'm not running tcpdump, but I am running Snort which would have 
>the same effect on the interface. Let me shut Snort down for a while and 
>see if the problem goes away. If it does turn out to be Snort, that 
>would be kind of weird as well as I've run this config since last fall. 
>I did recently upgrade to Snort 2.0 however, so maybe something that's 
>changed in Snort from 1.9 --> 2.0 is causing it.

(snip rest)


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux