Hey,
I have a setup that has one machine communicating to a server using UDP
over IPv6. For specifics, it is using collectd with a boosted
MaxPacketSize in the network config.
What this means is there is some IP fragmentation happening, and that
is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the
particular communication I want. What I'm getting in my logs is (I've
logged the ACCEPT rule for clarity):
Dec 4 16:11:19 xxxx kernel: [67682.239124]
Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0
SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63
FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826
LEN=1905
Dec 4 16:11:19 xxxx kernel: [67682.239148]
Shorewall:int2dmz:REJECT:IN=br1 OUT=br0
SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63
FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP
The rule I have is:
ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \
dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \
udp 25826
Does anyone have any ideas on how I can ALLOW this fragmentation?
May be a red herring, but if I go over IPv4, I don't get the same
REJECT, and it appears the data is getting sent.
Many thanks for any responses.
Cheers,
Hugh
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
