Package: shorewall Version: 2.0.7-1 Severity: important Hello,
We route outgoing packets for several satellite connections. After a big set of upgrades (including kernel version) today, these asymmetric connections stopped working. I found the culprit: Chain FORWARD (policy DROP 62 packets, 3392 bytes) pkts bytes target prot opt in out source destination 45 2557 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID [...] This rule is the very first one listed for FORWARD, and the second one for INPUT and OUTPUT (the first one is lo specific). On one hand I suspect this use to work, and with recent kernel versions (2.6.9+) the meaning of INVALID has become more strict. One the other hand, I haven't set dropunclean for any of the interfaces, and checking the value this early would seem to render LOGUNCLEAN invalid, as any unclean packets have already been dropped before it gets this far. I have already changed the newnotsyn file/rule to cope with my asymmetric routing needs, but this isn't used until after the packets are already dropped. I also checked my 2.0.13-1 shorewall firewall and it has the same rules listed. Alternatively, if I am missing something obvious (such as a config parameter that controls this behaviour), please let me know. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages shorewall depends on: ii debconf 1.4.30.11 Debian configuration management sy ii iproute 20041019-2 Professional tools to control the ii iptables 1.2.11-8 Linux kernel 2.4+ iptables adminis -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
