Hi Martin, this reminds me of a FTP conntrack problem I had with Xen a while ago. It's related to the common Xen checksum offload problem. First FTP port packet has incorrect checksum and is dropped. Then the resent packet is ignored by the ftp_conntrack module and doesn't get masq'ed. E voila, you have your internal address in the port command.
Diagnosis: run tcpdump -vv (or even better wireshark) on the involved interfaces and you'll see a lot of invalid checksums Solution: disable tx-checksumming on ALL interfaces (ethtool -K <device> tx off). I disable it on all Interfaces, because I saw so many different problems with that in all kind of Xen setups that I gave up to find out a logic behind that error. Let me know if it helps. Alex On Sonntag 30 März 2008, Martin Leben wrote: > Hi all! > > I am a long time lurker, but have not posted until now. > > My old trusted firewall machine broke a couple of weeks ago and I replaced > it with a XEN domU that is using DNAT and has two interfaces. The firewall > domU and the FTP server domU are both guests on the same dom0. All three > machines are running Debian/etch (stable) and Shorewall has version 3.2.6. > > I can't get FTP to work and Filezilla says: > > Response: 227 Entering Passive Mode (192,168,221,239,19) > Status: Server sent passive reply with unroutable address. Using > server address instead. > > I cannot understand why the FTP servers private address is leaked since the > modules ip_nat_ftp and ip_conntrack_ftp are loaded. The FTP rule is > "FTP/DNAT net loc:192.168.221.3". > > In the attached status file I have connected from "213.115.101.134" to > "87.96.134.74". Can any of you see what is wrong? > > Thank you in advance. > > /Martin Leben > > Ps/ DNAT:ting http, imap and other "simple" traffic works. /Ds > Ps2/ My apologies if this mail hits the list twice. I sent the first one > before subscribing. (Reading through http://gmane.org) /Ds2 ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
