On 4/6/11 3:16 PM, Chip Anderson wrote: > > Given that the link does over 400Megabits per second, that means that _most_ > of > the packets are being translated correctly, but an interesting number of them > are "leaking" out with the 10.1.1.x source address. Many of those are RST > packets coming at the very end of a TCP conversation. The frequency of these > 10.1.1.x packets seems to be random. > > If this is a common situation with an easy solution, my apologies but I didn't > find anything in the FAQs or the newsgroup archives. (Coming up with a good, > selective search phrase for this issue was challenging.) > > So my first question to the group is: Have you heard of this kind of thing > before? Is there an area/topic I should review closely to see if I made a > Shorewall or sysctl config mistake? > > If not, I'll be happy to upload _all_ the gory details of our configuration > for > people to study. I just wanted to quickly see if this rings a bell with > anyone > first.
This is most likely due to the packets sent from the DMZ being
classified as 'invalid' by Netfilter's connection tracker.
See if this rule doesn't eliminate these packets:
dropInvalid dmz net
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
