Tom Eastep wrote: > Vieri Di Paola wrote: >> >> Please have a look at the tcpdumps below. >> > > If you want me to look at the output of tcpdump, please use the "-n" option. > It's impossible to be certain what one is looking at when tcpdump is > printing the result of reverse DNS lookups rather than the raw IP addresses.
That having been said, I would next do the tcpdump on eth0 on the bridge (make sure the SYN,ACKs are being sent from the bridge) then on eth1 on the outer firewall. I see this conntrack entry on the bridge: tcp 6 35 SYN_RECV src=194.179.55.129 dst=10.215.144.7 sport=61911 dport=25 packets=1 bytes=52 src=10.215.144.7 dst=194.179.55.129 sport=25 dport=61911 packets=5 bytes=260 mark=0 use=1 This indicates that Netfilter connection tracking on the bridge is not seeing or not recognizing the SYN,ACK response. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
