On Tue, 2011-11-15 at 10:20 -0600, Jorge Dávila wrote: > John, > > The particular thing I see in the logs is they shows the flag DF > (Don't Fragment). > > My first guess is the TCPMSS rule is the responsible for generating the logs. > > Maybe adjusting the mtu for the interfaces will solve the problem. > > Jorge. <snip> Thanks, Jorge. However, the packets are quite small and should not be having a problem with DF. I thought, perhaps, they were RSTs and maybe those were not considered RELATED but that is not always the case: No Match: IN=bond4 OUT=bond3 SRC=172.x.y.34 DST=187.15.198.127 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=20811 DF PROTO=TCP SPT=25 DPT=2307 WINDOW=5840 RES=0x00 ACK PSH URGP=0 No Match: IN=bond4 OUT=bond3 SRC=172.x.y.34 DST=180.252.147.149 LEN=55 TOS=0x00 PREC=0x00 TTL=63 ID=60912 DF PROTO=TCP SPT=25 DPT=19445 WINDOW=5840 RES=0x00 ACK PSH URGP=0 Here are two examples of packets being logged from our public SMTP gateway with tiny packet sizes and no unusual flags. Any other ideas, anyone, of why we would be seeing these logs when we would suspect these packets should be ACCEPTed at the very beginning of the FORWARD chain with a -m state --state RELATED,ESTABLISHED -j ACCEPT rule? Thanks - John -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
