Hello, I've been using a netfilter-based border firewall for month, with full satisfaction. And a few days ago, some users started complaining about difficulites accessing an external https service... After some investigation, I found that some packets were dropped by the firewall. The local client sends SYN packets that go nicely through the firewall; the remote server sends SYN+ACK packets that get dropped. After a few resends (both ways), le local client sends a RST packet, and then a new SYN packets (same source port), the server replies and the reply goes through the firewall. The first input rule is "-m state --state INVALID -j DROP". I added an exception to accept packets from the remote server port 443, even when they are INVALID, and now things work fine. Now, I see that many packets get accepted by this workaround. Some packets have SYN+ACK, but there are also some with ACK, ACK+PSH or ACK+FIN... Is there a way I can investigate why netfilter considers those packets INVALID? I tried to set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal and then only some SYN+ACK packets get accepted by the workaround, but I have not really understood what this ip_conntrack_tcp_be_liberal option does. Moreover, it is not sufficient, since there are still some SYN+ACK packets that are considered INVALID. I also tried to set /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid but I only got 1 packet logged every few seconds, but nothing related to the remote service I have problems with. Regards, Nicolas -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
