Re: Iptables FW under 2.4.0-test11

To: Giacomo Mulas <gmulas@ca.astro.it>
Cc: debian-firewall@lists.debian.org
Subject: Re: Iptables FW under 2.4.0-test11
From: S.Salman Ahmed <ssahmed@pathcom.com>
Date: Tue, 26 Dec 2000 01:57:23 -0500
Message-id: <14920.16723.769630.374827@gargle.gargle.HOWL>
Reply-to: ssahmed@pathcom.com
In-reply-to: <Pine.LNX.4.21.0012211407500.17850-100000@capitanata.ca.astro.it>
References: <000f01c06a65$add78e00$683e68d5@oak> <Pine.LNX.4.21.0012211407500.17850-100000@capitanata.ca.astro.it>

>>>>> "GM" == Giacomo Mulas <gmulas@ca.astro.it> writes:
    GM>  Yes, but be careful: plain test12 has a bug in netfilter code
    GM> that causes it to instantly crash upon receiving a fragmented
    GM> packet, if using conntrack (i.e. native 2.4 stateful
    GM> firewalling). A patch surfaced in linux-kernel that appears to
    GM> fix this. Therefore, while you do need to move away quickly from
    GM> test11 as it eats ext2 filesystems, you probably should do one
    GM> of the following two things:
    GM> 
    GM> 1) go back to a version **before** test11 that works well for
    GM> you (perhaps test10?)  2) or browse the linux-kernel archives,
    GM> find the patch for the bug in the netfilter, apply that to
    GM> test12 and use that.
    GM> 
    GM> If you use iptables with stateful connection tracking on a plain
    GM> test12 kernel (without the fix), a single large ping, or trying
    GM> to do anything related to NFS will instantly kill your
    GM> computer...
    GM> 

What iptables config option causes this problem ? I have just gotten
iptables up and running, and currently am only using it for NAT. Haven't
gotten around to setting up filtering rules, etc.

But before I go looking for the patch that fixes this bug, I'd like to
know which kernel config option if compiled-in or modularized,
'activates' the bug ?

Here are the NetFilter options from my .config file:

CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_NETLINK=y
CONFIG_RTNETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
CONFIG_SYN_COOKIES=y

#
#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_STATE is not set
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
# CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_TARGET_LOG=y


A couple of questions on iptables in Debian:

(1) is there any package in Debian that automatically sets up NAT the
way ipmasq did for 2.2.x kernels ?

(2) where do I put my NAT and filtering rules ?

Thanks.

-- 
Salman Ahmed
ssahmed AT pathcom DOT com

Reply to:

Follow-Ups:
- Re: Iptables FW under 2.4.0-test11
  - From: S.Salman Ahmed <ssahmed@pathcom.com>

References:
- Re: Iptables FW under 2.4.0-test11
  - From: "Robert Davies" <Rob_Davies@NTLWorld.Com>
- Re: Iptables FW under 2.4.0-test11
  - From: Giacomo Mulas <gmulas@ca.astro.it>

Prev by Date: RE: Using SAMBA through the TCP wrappers
Next by Date: Re: Iptables FW under 2.4.0-test11
Previous by thread: Re: Iptables FW under 2.4.0-test11
Next by thread: Re: Iptables FW under 2.4.0-test11
Index(es):
- Date
- Thread