Strange case of INVALID matching
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Strange case of INVALID matching
by Whit Blauvelt
::
Rate this Message:
Hi,
A LAN is connected to the outside by two firewall boxes, one of which is handling the primary stuff - DNAT in and SNAT out - the other of which is mostly there as a hot backup, but also is actively running OpenVPN. A peculiarity of this setup is that since the primary box is the default gateway to the Net for boxes on the LAN, it ends up getting the traffic on the way back out the VPN, which it forwards to the OpenVPN box via an ip route rule. This all generally works fine. But when a firewall is put in place tha tosses INVALID packets on the primary, at least some systems on the LAN get their return traffic packets blocked as INVALID there and tossed. It looks like: Aug 3 09:50:00 system1 kernel: [3177144.669949] RULE -1 -- DENY IN=eth1 OUT=eth1 SRC=192.168.1.9 DST=10.50.30.30 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=58602 PROTO=TCP SPT=445 DPT=1457 WINDOW=16384 RES=0x00 ACK SYN URGP=0 Aug 3 10:09:34 firewall2 kernel: [3178316.138953] RULE -1 -- DENY IN=eth1 OUT=eth1 SRC=192.168.1.10 DST=10.50.30.6 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=20177 DF PROTO=ICMP TYPE=0 CODE=0 ID=60277 SEQ=2 The IN and OUT on the same interface is right. It's to forward the traffic back on the LAN to the OpenVPN box, which will send it out to the remote user. Seems like deleting the INVALID rule is the only way to prevent this blockage, which totally disables VPN access to the affected systems. Should this be the case? Is there some other way around it? Thanks, Whit ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
|
|
Re: Strange case of INVALID matching
by Whit Blauvelt
::
Rate this Message:
On Mon, Aug 03, 2009 at 10:38:27AM -0400, Whit Blauvelt wrote:
> Aug 3 10:09:34 firewall2 kernel: [3178316.138953] RULE -1 -- DENY IN=eth1 OUT=eth1 SRC=192.168.1.10 > DST=10.50.30.6 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=20177 DF PROTO=ICMP TYPE=0 CODE=0 ID=60277 SEQ=2 (Eh, forgot to replace "firewall2" w/ "system1" - same box. - W ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
| Free embeddable forum powered by Nabble | Forum Help |
