netfilter-owner@xxxxxxxxxxxxxxx wrote:
I'm having some troubles with what should be a very simple firewall to
simply protect a local machine. When the firewall is enabled, ssh and
scp connections will sometimes hang indefinitely. I've tried
configuring the firewall (which blocks all incoming requests to ports
0:1023 except ssh and icmp) with several different tools: firehol, ufw
and lutelwall. If the firewall is turned off, the problem
disappears. With lutelwall there is an option to create a
non-stateful firewall - if that is done, the problem also disappears.
My syslog does show dropped packets that appear to be the cause of the
problem. From tcpdumps at both ends of the connection it looks like
the problem happens if large packets are sent out from behind the
firewall and then arrive in pieces at the other end with a piece
missing. ack packets coming back in are dropped, and the connection
never recovers.
Any help in diagnosing this would be much appreciated.
Carl
Hello,
The rules you showed us, would all allow a local ssh server, so the
ruleset is not the problem.
What confuses me, you talk about packets from behind the firewall, but
your rulesets don't show any FORWARD rules that would even allow ssh.
If you would have, I'd say the problem may be fixable using the TCPMSS
target:
TCPMSS
[...]
This target is used to overcome criminally braindead ISPs or
servers which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too
Big" packets. The
symptoms of this problem are that everything works fine from your
Linux firewall/router, but machines behind it can never exchange large
packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
[...]
If you need rules for a non routing (forwarding) machine, why do you
talk about 'behind the firewall'?
Otherwise it's something else, than the ruleset.
Log outputs? tcpdumps? Distro? Kernel? iptables version?
Regards
Mart
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html