RE: Serious issue with ipchains and iptables

["Burke, Thomas G." <thomas_g_burke md northgrum com>]

Generally, at the end of most ipchains scripts (that I've seen anyways)
there's a set of lines to tell the ipchains engine how long to allow masq'd
connections to stay alive...  As I recall, the default is rediculously
short, so we generally add the following (or similar) lines (taken from my
firewall):

#
# Masq timeouts - tcp 8hrs, tcp after fin pkt 60s, udp 10min
$IPCHAINS -M -S 14400 60 600
echo -n "."
#
# 

I imagine that if I had a single connection that lasted longer than those
settings, I would get a similar message & get cut off...  Could your problem
be thus related?  Is your ftp time longer than what the firewall is
allowing?

> -----Original Message-----
> From:	Chuck Mead [SMTP:csm MoonGroup com]
> Sent:	Wednesday, October 31, 2001 11:38 AM
> To:	Red Hat Mailing List
> Subject:	Serious issue with ipchains and iptables
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> I think I may have discovered a pretty serious bug that appears to be
> kernel related. First off here's the architecture:
> 
> I am using a cable modem for my connection to the world and it works
> fine... no issues there.
> 
> I am using an Intel PII 450 with 64MB of RAM and 256MB of swap as an
> ipchains/tables host and it is running 7.2 fully updated.
> 
> The external interface (eth1) is a LNE100TX [Linksys EtherFast 10/100]
> and the internal (eth0) is a 3Com Corporation 3c905B 100BaseTX
> [Cyclone].
> 
> I have tried several different scripts to handle the firewalling duties.
> I've tried both the iptables and the ipchains versions of Plonk
> (plonk.sourceforge.net) and MonMotha's Firewall 2.2.1
> (http://t245.dyndns.org/~monmotha/firewall/index.php) and they all work.
> I had been using Plonk for a long time and just started trying the
> MonMotha yesterday in response to this problem.
> 
> Now to the problem...
> 
> Doing mail and browsing is just fine and I have no issues there. The
> problem appeared when I was trying to FTP down some stuff which was
> quite sizeable. The download would start and I'd get 10% done on a 40MB
> download and then it would stop with no visible cause (a case in point
> is todays xemacs update available via RHN). But not only did the ftp
> stop but all outside connectivity would die. At first I thought I was
> having a hardware problem but after a while I tried just rerunning the
> firewall script and that would correct the problem (but that only worked
> using iptables) though I had to restart the network to get that to work
> with ipchains. I have tried all the installed kernels:
> 
> 2.4.9-7enterprise
> 2.4.9-7
> 2.4.7-10enterprise
> 2.4.7-10
> 
> The problem occurs with all of these kernels and it occurs everytime I
> start to load up the connection.
> 
> Using ipchains I get this (below) message in the log with kernel logging
> enabled in syslog but I see nothing of any significance in the kernel
> log when I use iptables.
> 
> Oct 31 10:50:05 gateway kernel: Sorry: masquerading timeouts set
> 5DAYS/2MINS/60SECS
> 
> Has anybody seen this problem before?
> 
> - --
> csm
> Free Dmitry!
> Boycott Adobe!
> Repeal the DMCA!
> Stop the SSSCA!
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iEYEARECAAYFAjvgKNkACgkQv6Gjsf2pQ0ozAwCgnGzDFoiPSAHoYVXsofNXXcDV
> 7bcAoKfdHcKiVrbtBhlHozA8H6NySyyZ
> =y7o/
> -----END PGP SIGNATURE-----
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> Redhat-list redhat com
> https://listman.redhat.com/mailman/listinfo/redhat-list