Morten Nilsen, 23.11.2005 12:48:
> Vidar Tyldum Hansen wrote:
>> http://tyldum.com/iptables.save.txt
> 
> I removed the counters, they were only in the way, and this sort of 
> stuck out at me;
> 
> -A OUTPUT -o eth1 -j admin_ut
> -A OUTPUT -o eth3 -j felles_ut
> -A OUTPUT -o eth2 -j sosial_ut
> -A OUTPUT -o eth5 -j internett_ut
> -A OUTPUT -o eth0 -j radio_ut
> -A OUTPUT -o eth6 -j dmz_ut
> -A OUTPUT -o eth4 -j elev_ut
> 
> if you're not going to filter output, why define rules that jump to 
> empty tables?

Old reminiscent that might come in handy :)
They should have no impact, remember things work until I type too fast.

> similarily, you only filter packages from the internet on input..
> I would prefer filtering everything in/out on every interface, and only 
> allow the traffic you want in..
> (see http://www.ranum.com/security/computer_security/editorials/dumb/)

No traffic may pass without going through a FORWARD rule. Default policy
there is drop.
Only traffic to/from the router itself is not passed through FORWARD.

> http://84.234.141.4/fw - this is my setup..

Connection refused. At least you are secure ;)

> anyhoo.. back to your problem..
> I can't see anything in your iptables that should cause your problem.. I 
> do however note you use tc to shape student traffic.. does the ssh 
> problem go away if you (temporarily) remove shaping?

Thought of that, but discarded it because I never touch that interface.
Anyways, it would be silly not to test so I just did. Same result :/

> if no, I would suggest making a new setup, without all the extra 
> chains.. you know, just to test :)

You are funny.

I'll start by adding some more LOG-rules to see if I can pinpoint
something. That won't disrupt the network more than 1-2 lost packets.
Fooling around with the general setup will be the nighttime activity the
next few days if that doesn't reveal anything.

But I still fail to see why iptables should do something to my pakcets
just by pressing and holding a random key in an ssh session. Seems like
a stack problem to me.

Thanks anyways for reading through the files and respnding.

_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss

Reply via email to