Jay Barbee <[EMAIL PROTECTED]> wrote:
>
> My gateway machine (Debian Linux running 2.2.6 currently) after a
> certain amount of uptime will still masq ports for all my client
> systems, but will not longer work for itself.
If you are using ipautofw, that is the culprit.
> Similar messages with telnetd occur. However, I can use SSH just fine.
That just confirms it, for me.
> While I thought this was a IPmasq problem, it seems that I do have the
> same scenario on my local net with just this Linux server (the gateway
> system).
That part doesn't make sense, though.
Ipautofw doesn't communicate well to the standard networking layer of
the kernel (left-hand, right-hand problem). What happens is that your
gateway box, when it wants to create a new local socket connection, will
choose a number one higher than the last port number that was used. If
that port number happens to coincide with a number that ipautofw is
forwarding, the reply traffic will get forwarded behind the masq net,
rather than be delivered back to the local socket. The connection
basically doesn't work.
If you have forwarded, say, ports 4000-5000, then things will start to
work fine, because local sockets will start using port 1024, and go up
from there. But when the kernel decides to use port 4000, it will fail,
and the next 1000 socket attempts will also fail, until the kernel tries
5001, at which point it will succeed.
This is the main reason to stop using ipautofw, and use ipportfw instead.
The reason that ssh works, is that it binds its own port in the 1-1023
range.
To help troubleshoot this, when you notice sockets failing, run a
"netstat -tn" while the socket is trying to connect. You will see the
chosen port number in the "Local Address" column. You can try to match
that port number to any other setup that you have (such as ipautofw).
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
