From: Hugh D. <hu...@da...> - 2012-12-04 03:40:08
|
Hey, I have a setup that has one machine communicating to a server using UDP over IPv6. For specifics, it is using collectd with a boosted MaxPacketSize in the network config. What this means is there is some IP fragmentation happening, and that is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the particular communication I want. What I'm getting in my logs is (I've logged the ACCEPT rule for clarity): Dec 4 16:11:19 xxxx kernel: [67682.239124] Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 LEN=1905 Dec 4 16:11:19 xxxx kernel: [67682.239148] Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP The rule I have is: ACCEPT:info int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \ udp 25826 Does anyone have any ideas on how I can ALLOW this fragmentation? May be a red herring, but if I go over IPv4, I don't get the same REJECT, and it appears the data is getting sent. Many thanks for any responses. Cheers, Hugh |