On 02/28/2012 07:42 PM, Tom Eastep wrote: > On 2/28/12 5:23 PM, jonetsu wrote: >> Hmmm.. Not sure if the other one got to you, so here it is. Sorry for >> any duplicate. Here is the dump. It was done in the following way: - >> unit3: reboot w/o any iptable commands applied - start continuous >> pings from unit1 - unit3: shorewall start - (continuous pingings >> still going on) - unit3: shorewall dump 192.168.3.2 = unit1 = pinging >> unit 172.30.159.103 = unit3 = shorewall unit 172.30.159.102 = unit2 = >> pinging target unit eth1 <--> fe-4-2 unit3 fe-3-1 <--> fe-3-1 eth2 In >> a parallel iptables-only test it is possible to immediately stop the >> pingings when iptables rules are applied by flushing the whole thing >> before applying any new rules. Thanks ! > > So everything else, other than the Shorewall version was the same in > these two tests? Kernel, iptables, iproute2, ...?
I suspect that you were previously running on a different kernel version.
On the system that I am writing this on (Ubuntu 11.10, Kernel 3.0.0) ,
the /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout setting has
value 30 (seconds). Experimentation has shown that the conntrack table
entry for ping stays around for 30 seconds after I stop pinging.
In contrast, on Centos-5 with kernel 2.6.18-274, the
ip_conntrack_icmp_timeout setting is the same but the conntrack table
entry is destroyed when the ping reply is returned.
So to stop an existing ping at with shorewall start/restart, you need to
flush the conntrack table ('shorewall restart -p'). That requires that
you install the conntrack utility program (usually, the package is
called simply 'conntrack').
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
