From: Tom E. <te...@sh...> - 2004-06-30 18:02:10
|
Alexander Gretencord wrote: > On Wednesday 30 June 2004 16:07, Tom Eastep wrote: > >>Sorry, I mislead you; the conntrack entry you posted indicates that the >>SYN,ACK has been received but no ACK from the client has been seen. This >>agrees with the observed behavior that the SYN,ACK isn't being passed >>back to InternalhostB. > > > Well how would the ACK be coming back when no SYN,ACK has gone out the > internal interface :) Exactly! > A tcpdump on eth1 only shows the SYN packet going out > but nothing coming back in. What I really don't get is why this doesnt work > as desired when it works with InternalhostA's traffic? I don't know. > The difficult > direction works but not the one that conntracking should handle without a > problem? Theres nothing in the shorewall logs either. > > Does the SNAT entry shorewall generates also generate some other rule I have > not found? Each entry in the masq file generates a single SNAT rule. > I even looked at shorewall debug output but could only see the -j > SNAT rule. That's all there should be. If you can do a controlled test, we might see what's happening: a) shorewall reset b) Try the connection c) capture "shorewall status" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... |