Re: Iptables FW under 2.4.0-test11
On Wed, 20 Dec 2000, Robert Davies wrote:
> > I have a headless server running a basic ipchains (kernel 2.2.x)
> > firewall and doing NAT. I'd like to run 2.4.0-test11 on that machine
> > since I have been very pleased with the performance of 2.4.0-test11 on
> > my desktop machine, and also because I am very impatient and can't stand
> > to have a machine running a 2.2.x kernel!
>
> You'ld better follow linux-kernel then!
>
> Upgrade to test12 pronto, test11 corrupts fs. Due to dirty pages, not being
> deallocated properly.
Yes, but be careful: plain test12 has a bug in netfilter code that causes
it to instantly crash upon receiving a fragmented packet, if using
conntrack (i.e. native 2.4 stateful firewalling). A patch surfaced in
linux-kernel that appears to fix this. Therefore, while you do need to
move away quickly from test11 as it eats ext2 filesystems, you probably
should do one of the following two things:
1) go back to a version **before** test11 that works well for you (perhaps
test10?)
2) or browse the linux-kernel archives, find the patch for the bug in the
netfilter, apply that to test12 and use that.
If you use iptables with stateful connection tracking on a plain test12
kernel (without the fix), a single large ping, or trying to do anything
related to NFS will instantly kill your computer...
Bye
Giacomo
________________________________________________________________________
Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it, gmulas@eso.org>
________________________________________________________________________
OSSERVATORIO ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
Tel.: +39 070 71180 216 Fax : +39 070 71180 222
________________________________________________________________________
"When the storms are raging around you, stay right where you are"
(Freddy Mercury)
________________________________________________________________________
Reply to: