On Friday 30 January 2004 10:49 pm, jo@xxxxxxxxxx wrote:
> I guess the remote ssh-server is sending keepalive packets, and somehow
> the ipfilter understands that those packets must be passed to the
> intranet, eventhough they are OOB to the outgoing TCP connection.
> Netfilter does not seem to understand this.
>
> Is this assumption correct? If so, does netfilter have a tuning so it
> keep ssh connections alive or do I advise to switch back to ipfilter?
Add a LOG rule to your ruleset just before the default DROP policy kicks in
(if you want, you can be selective and only LOG packets coming from one of
the ssh servers people are connecting to) and see whether you are getting
packets of some sort back from the servers, which are out of band and
therefore not getting to the clients.
In my opinion this is unlilkely - any keepalive packets for an ssh connection
would be sent across the ssh link itself, not out of band in some other
channel, however this is an easy way in whcih you can identify whether this
is what's happening.
Put the LOG rule in both your INPUT and FORWARD chains so you catch stuff
trying to get to the clients' addresses as well as anything coming in to the
firewall itself.
Regards,
Antony.
--
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a
bloody trail of designers and quality assurance people in its wake.
Please reply to the list;
please don't CC me.
