Re: kernel-image-2.6-k7 and Shorewall firewall
On Wednesday 30 July 2008 16:41, Account for Debian group mail wrote:
> Hello,
>
> We just did an upgrade on one of our etch servers. It installed a bunch
> of new updates including a kernel-image 2.6.18-6-k7. This computer is
> running the Shorewall Firewall. Everything seemed to be working OK till we
> tried to ping the server.
>
> The firewall is set to let in pings every second:
> >From "rules" file inside shorewall - this has always worked:
>
> ACCEPT net $FW icmp 8 - -
> 1/sec
>
> What iptables-save shows:
> -A net2fw -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
> -A net2fw -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
>
> Should work!
>
> What syslog shows:
> Jul 30 08:12:19 spare kernel: Shorewall:net2fw:DROP:IN=eth0 OUT=
> MAC=00:14:2a:4a:3c:cf:xx:xx:xx:25:1c:00:08:00 SRC=20x.10x.xxx.11
> DST=20x.10x.xxx.38 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=32799 SEQ=8
> (numbers change to protect the innocent)
>
> I change the "rules" file to:
>
> ACCEPT net $FW icmp 8 - -
>
> so it just accepts pings and it works just fine.
>
> Seems like something has changed in this new kernel-image. Is it possible
> that 1 second in the iptables stuff is no longer 1 second? Do I need to
> decrease or increase the time limit? Anyone else run into this? I would
> still like to limit the ping rates.
>
> Thanks,
>
> Ken
Ken
I have just tried this with the updated 2.6.18-6-k7 kernel, but I cannot
re-create your problem.
Steven.
Reply to: