these days, i often have this problem with L3 switches
the problem is asynchronous routing, because the L3 switch decides to route my
packet directly to the endbox, bypassing the firewall. this happens with
clients who don't use VLANs on the firewall, but use ip aliasing directly.
Regards,
Op maandag 19 maart 2012 16:39:37 schreef Micheal Wolfskill:
> I have this rule:
>
> $IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
>
> The problem is its matching legitimate packets of visitors (including me)
> that navigate my site... As i can see in the logs.
>
>
> Its not affecting the normal viewing of my site.. but I wish to know
> why it is matching these packets as Iam sure it should not.
>
> Here is the log entry in syslogd
>
>
> Mar 16 15:29:36 kernel: Invalid IN =eth0 OUT=
> MAC=00:16:3e:44:bf:02:00:11:92:8b:ff:c4:08:00 SRC=xxx.xxxx.xxxx.xxxxx
> DST=xxxx.xxxx.xxxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=TCP
> SPT=6367 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
>
> Thanks
>
> Mike --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
