Re: Iptables FW under 2.4.0-test11
On Tue, 26 Dec 2000, S.Salman Ahmed wrote:
> >>>>> "SSA" == S Salman Ahmed <firstname.lastname@example.org> writes:
> SSA> What iptables config option causes this problem ?
> To answer my own question, the CONFIG_IP_NF_CONNTRACK=y option is the
> one that causes the problem. My firewall has to be setup as a
> masquerdaing FW, and in 2.4.0 NAT cannot be used without this option
> enabled. So I can't use NAT in 2.4.0 with this option disabled.
> I tried the 2.4.0-test13-pre4 which is supposed to have the fix for this
> netfilter bug, but "ping -s 65000 localhost" still locks my system
Hello! I am sorry, I was on vacation when you asked and I could not answer
any sooner. For what it's worth, here is the patch that I found floating
in the linux-kernel mailing list. I applied it to a vanilla 2.4.0-test12
kernel and it fixed the problem for me. The laptop I am using right now
has this kernel running, with native firewalling working fine (apparently)
and fragmented packets do not crash it any longer. As to the other
question you were asking, namely if there is a debian package capable to
do with 2.4.x firewalling what the ipmasq packege did with 2.2.x kernels
(automagically set up rules to properly do firewalling/masquerading when
e.g. a PPP link is brought up and take them out when the link goes down) I
still use ipmasq on my computer at home. I hand rewrote almost all the
scripts to adapt them to my own setup, so that I doubt that they can be of
any use to anybody else. However, I set it up roughly this way:
1) I have a script that is softlinked to the rcS.d directory and thus gets
started before any network interface is up. It sets up "one way" filtering
essentially letting anything out from my computer and internal LAN and
nothing in from any (unspecified) external interface, except packets
coming back on connections originated from my internal LAN.
2) Most of the scripts in the ipmasq directories in /etc/ipmasq do nothing
except setting up firewalling rules for antispoofing protection for
dynamic interfaces (and cleaning them up after the dynamic interface goes
down). I need to do this explicitly because I also use free S-WAN for
ipsec and the latter does not work with rp_filter enabled.
Let me know if I can further help with this.
Bye, and merry Christmas and a happy new year by the way
Here goes the patch:
--- linux/net/ipv4/ip_fragment.c~ Tue Dec 12 06:56:29 2000
+++ linux/net/ipv4/ip_fragment.c Tue Dec 19 07:29:53 2000
@@ -485,7 +485,8 @@
qp->fragments = skb;
- qp->iif = skb->dev->ifindex;
+ if (skb->dev)
+ qp->iif = skb->dev->ifindex;
skb->dev = NULL;
qp->meat += skb->len;
Giacomo Mulas <email@example.com, firstname.lastname@example.org, email@example.com>
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
Tel.: +39 070 71180 216 Fax : +39 070 71180 222
"When the storms are raging around you, stay right where you are"