Jonathan Underwood wrote: > On 26/05/07, Tom Eastep <[EMAIL PROTECTED]> wrote: >> Note that if the ACCEPT rule has no 'limit' then the INVALID packets are >> accepted and the problem magically goes away. But because these packets >> occur regularly, they eventually exhaust any imposed 'limit' and the >> connection then stalls. > > Just to make sure I understand this correctly - do you mean that > INVALID packets are "counted" as NEW packets as far as the limit is > concerned?
Sort of. Shorewall sends both INVALID and NEW packets through the rules
generated by /etc/shorewall/rules. This gives users the choice of adding
'allowInvalid' and 'dropInvalid' rules to control INVALID separately
from NEW. If you only want to deal with 'NEW' connections in your rules
file, then just add this as the first entry in the file:
dropInvalid all all
In the absence of any acceptInvalid/dropInvalid rules, then any rule in
your /etc/shorewall/rules applies equally to NEW and INVALID packets. In
many cases, this approach allows Shorewall to mask problems like you are
experiencing. It doesn't mask those problems when rate limiting is
applied, however.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
