Re: [fw-wiz] Weird FW bridge stuff (Linux)

From: Chris Ditri (chrisd_at_better-investing.org)
Date: 12/10/03

  • Next message: Bill Royds: "RE: [fw-wiz] Stateful inspect on return web traffic - eek!" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 10 Dec 2003 15:58:43 -0500

    Thanks for the input guys.

    I had reconfigured my kernel to turn off debugging -- but I forgot to copy the
    bzImage -- so I was still using the old image (whoops).

    That seemed to clear up the log problem.

    I still don't know why 2.4.23 ignores my iptables commands...

    Thanks again.

    Chris

    On Tuesday 09 December 2003 03:51 pm, Chris Ditri wrote:
    > Hello.
    >
    > I have setup a linux ethernet bridge/firewall. Everything seemed to be
    > working pretty well, until one day I found that my /var/log/messages was
    > filled up with 14 gigabytes of this junk:
    >
    > Dec 9 15:47:55 kronos nf_hook: hook 4 already set.
    > Dec 9 15:47:55 kronos skb: pf=7 (unowned) dev=eth0 len=74
    > Dec 9 15:47:55 kronos nf_hook: hook 0 already set.
    > Dec 9 15:47:55 kronos skb: pf=2 (unowned) dev=br0 len=69
    > Dec 9 15:47:55 kronos PROTO=6 209.202.220.135:25 10.103.232.134:46016 L=69
    > S=0x00 I=7745 F=0x4000 T=50
    > Dec 9 15:47:55 kronos nf_hook: hook 0 already set.
    > Dec 9 15:47:55 kronos skb: pf=7 (unowned) dev=eth0 len=69
    > Dec 9 15:47:55 kronos nf_hook: hook 2 already set.
    > Dec 9 15:47:55 kronos skb: pf=2 (unowned) dev=eth1 len=69
    > Dec 9 15:47:55 kronos PROTO=6 209.202.220.135:25 10.103.232.134:46016 L=69
    > S=0x00 I=7745 F=0x4000 T=50
    > Dec 9 15:47:55 kronos nf_hook: hook 2 already set.
    > Dec 9 15:47:55 kronos skb: pf=7 (unowned) dev=eth1 len=69
    > Dec 9 15:47:55 kronos nf_hook: hook 4 already set.
    > Dec 9 15:47:55 kronos skb: pf=2 (unowned) dev=eth1 len=69
    > Dec 9 15:47:55 kronos PROTO=6 209.202.220.135:25 10.103.232.134:46016 L=69
    > S=0x00 I=7745 F=0x4000 T=50
    > Dec 9 15:47:55 kronos nf_hook: hook 4 already set.
    > Dec 9 15:47:55 kronos skb: pf=7 (unowned) dev=eth1 len=69
    > Dec 9 15:47:55 kronos nf_hook: hook 0 already set.
    > Dec 9 15:47:55 kronos skb: pf=2 (unowned) dev=br0 len=58
    > Dec 9 15:47:55 kronos PROTO=6 10.103.232.134:46016 209.202.220.135:25 L=58
    > S=0x00 I=14180 F=0x4000 T=64
    > Dec 9 15:47:55 kronos nf_hook: hook 0 already set.
    > Dec 9 15:47:55 kronos skb: pf=7 (unowned) dev=eth1 len=58
    > Dec 9 15:47:55 kronos nf_hook: hook 2 already set.
    > Dec 9 15:47:55 kronos skb: pf=2 (unowned) dev=eth0 len=58
    > Dec 9 15:47:55 kronos PROTO=6 10.103.232.134:46016 209.202.220.135:25 L=58
    > S=0x00 I=14180 F=0x4000 T=64
    > Dec 9 15:47:55 kronos nf_hook: hook 2 already set.
    > Dec 9 15:47:55 kronos skb: pf=7 (unowned) dev=eth0 len=58
    > Dec 9 15:47:55 kronos nf_hook: hook 4 already set.
    > Dec 9 15:47:55 kronos skb: pf=2 (unowned) dev=eth0 len=58
    > Dec 9 15:47:55 kronos PROTO=6 10.103.232.134:46016 209.202.220.135:25 L=58
    > S=0x00 I=14180 F=0x4000 T=64
    > Dec 9 15:47:55 kronos nf_hook: hook 4 already set.
    > Dec 9 15:47:55 kronos skb: pf=7 (unowned) dev=eth0 len=58
    >
    > I did some poking around, and I heard that this was because of a bug in the
    > 2.4.19 version of this software (patch for the kernel). So I downloaded
    > and compiled the kernel in 2.4.23 -- with the same exact config file. All
    > of a sudden none of my IPTABLES rules are not having any influence on
    > traffic! Bye-bye fiewall...
    >
    > I tried to apply the patch to my 2.4.23 kernel, but it fails. I cannot
    > find this version of a bridge patch for 2.4.23 anywhere. I have read that
    > people have gotten this sort of thing working with kernel 2.4.20 and up --
    > but no reference as to what they had to do to get it working right.
    >
    > What can I do?
    >
    > Thanks!
    >
    > Chris
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Bill Royds: "RE: [fw-wiz] Stateful inspect on return web traffic - eek!"

    Relevant Pages

    • Re: Macs in Astronomy Updated; Canon 20D under Mac & Windows
      ... >>have some marginal RAM that's flaky under OS X. ... >>swap the memory from another machine before you blame the kernel. ... believe Chris and I are accurately describing what we experience. ... If others fail where we fail or where Chris fails, fine, I ...
      (sci.astro.amateur)
    • RE: Kernel Panic during install with 4.8 mini ISO
      ... On Behalf Of yussef ... Kernel Panic during install with 4.8 mini ISO ... "Chris Ward" wrote: ...
      (freebsd-questions)
    • Re: Kaffeine playing too fast
      ... Chris, ... It is easy in Mandriva because there are check ... Can these parameters be passed to the kernel at boot time through ...
      (uk.comp.os.linux)
    • Re: umass is there a howto?
      ... Chris Miller wrote: ... > I would suggest rebuilding your kernel with USB_DEBUG in the kernel conf ... > recompiling the kernel each time, comment out the umass driver in the ... > DEVICE descriptor: ...
      (comp.unix.bsd.freebsd.misc)
    • Re: via-rhine (or rhinefelt) and VT6105/VT6103 driver problems with Debian stable
      ... Chris Evans wrote: ... > Sod, sod, sod: I'll take hardware compatibility more seriously in ... is the card supported in a later kernel version? ... then there's no harm in getting the kernel source and using the make oldconfig to keep your existing kernel configuration and then adding in support for your card. ...
      (Debian-User)