Hi out there,
I do have a strange problem and I don't know if it is really related to
netfilter or some kernel/network problem ...
It's a setup with a stateful firewall (RELATED,ESTABLISHED) and the problem
mainly happens between hosts in the internal net and the DMZ.
+- ftp-server
192.168.1.x + +- mail-server
192.168.2.x +- <SW> -- eth1-FW-eth0 --(DMZ)-+- some-other-servers
192.168.3.x + |
... +- eth1-extFW-eth0-=>-internet
<SW> is a Layer 3 Switch with IP-Routing
<DMZ> is the 'secure' Zone between internal and external Firewalls
using public-IP
The Problem:
Sometimes, when I try to - lets say SSH - the ftp-server from
the internal net (192.168.1.x), I can't get to it.
However, when I SSH to the FW and then SSH to the ftp-Server, it works.
For debugging, I started tcpdump (2x) on both interfaces of the FW and
I saw the following:
on eth1 I see the initial TCP-Packet (SYN) from <internal> to <ftp-server>
on eth0 I see the initial TCP-Packet (SYN) from <internal> to <ftp-server>
AND the answer-packet from <ftp-server> to <internal>
However, the answer doesn't make it's way through the FW ...
As soon as I do a 'ping' from <internal> to <ftp-server>, the next
attempt to SHH to the ftp-server works fine! (!"§$%&)
The (RELATED,ESTABLISHED) Rules are the FIRST one's in the FORWARD-Chain
and everything that get's -j DROPed is -j LOGed, but I don't see any
dropped packets related to my problem in the logs ...
The FW also has some VPN-Connection (cipe) to some remote network, and
the same problem happens more often when trying to connect those remote
hosts - however, as soon as you ping them, everything's fine ...
This really puzzles me ...
Any Ideas ?
- Karl
