St�phane Abondance wrote:
>
> Niccolo Rigacci wrote:
> >
> > St�phane Abondance wrote:
> > >
> > > I got this in my /var/log/messages :
> > >
> > > Apr 10 20:19:23 cerbere diald[23440]: filter ignored rule 0 proto 6 len
> > > 44 seq 1f03cfb ack 0 flags SYN packet 192.168.0.1,64871 =>
> > > 212.27.35.195,3128
> > >
> > > Is it good ?
> > > Because i never put in the file "standard.filter" a rule like that.
> >
> > Diald logs "filer ignored rule 0" whenever a packet does not
> > match any rule. In this case the man page says that the packet
> > should be ignored.
> >
> > But I think that there is a bug in diald (both 16.5 and 99.x
> > versions). I think that in this case diald accepts the packet
> > with a timeout of 0, thus shortening the connection time.
>
> I am agree with you, it would be the comportement by default.
>
> >
> > This caused me many troubles, because the first packet went
> > across the connection was a packet without a matching rule, and
> > setting a timeout to 0 caused the connection to be terminated
> > after just one second.
>
> Me too.
If you experienced this problem, you can try the patch I think
should fix the bug.
In the firewall.c file, function check_firewall(), at line 744
change in this way:
/* Return 1 if accepting rule with non zero timeout, 0
otherwise */
return (fw->filt.type != FW_TYPE_IGNORE &&
fw->filt.timeout > 0);
and at line 755 the most important thing (return 0 instead of 1):
if (debug&DEBUG_FILTER_MATCH)
log_packet(0,ip_pkt,len,0);
return 0;
This is for diald 16.5. Versions 99.x are the same, just change
the line number: 920 and 931.
Recompile and test. Let me know if this solved the problem!
Niccolo
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
