Martin, this workaround is documented at http://www.shorewall.net/XenMyWay-Routed.html which is an interesting Xen setup.
you can put the line "ethtool -K <device> tx off" in your interfaces file (e.g. directly beneath each interface configuration stanza) to ensure this persists across reboots. Werner On Mon, 2008-03-31 at 13:19 +0200, Martin Leben wrote: > Alexander Wilms wrote: > > Hi Martin, > > > > this reminds me of a FTP conntrack problem I had with Xen a while ago. > > It's related to the common Xen checksum offload problem. > > First FTP port packet has incorrect checksum and is dropped. Then the > > resent > > packet is ignored by the ftp_conntrack module and doesn't get masq'ed. E > > voila, you have your internal address in the port command. > > > > Diagnosis: run tcpdump -vv (or even better wireshark) on the involved > > interfaces and you'll see a lot of invalid checksums > > > > Solution: disable tx-checksumming on ALL interfaces (ethtool -K <device> tx > > off). > > Hi Alexander, > > Voila! That did it. Now it works. I ran > # ethtool -K <device> tx off > ... on the firewalls both network interfaces as well as on the FTP server > network interface. > > Big thanks to you, Andrew and Tom for your time and input. > > Tom, I think this is something for the documentation. > > /Martin Leben > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
