tried :
2.3.42 , 486sx25, 8MB, router, mrouted, firewall, some impressions
1. iptables is a fine thing, but that ipnatctl NAT packets arent going
trough firewall rules when coming back, it should be written red
somewhere. Preferably then a NAT chain (besides BRIDGE wished too)
There are several reasons for that, first of them is that I want my
firewall rules to be WYSIWYG and complete and being able to
control/determine all aspects of packet passing behaviour, meaning
giving logentries every time it is written there in single firewall
setup file.
2. 8M memory,
after init VM kills a random process, usually sh or modprobe
top shows 0MB shared memory, whereby I have quite full router on
runlevel 3 with several daemons
How about cache-buffer optimisations: is the kernel doing them for now
or what would I like to write there in /proc with such a low mem and
16MB swap and partitions mounted sync ?
3. after mrouted fired:
ip_dev_loopback_xmit: bad owned skb = c0602c70: POST_ROUTING
skb: pf=2 (unowned) dev=eth0 len=32
PROTO=2 111.222.333.444:0 224.0.0.4:0 L=32 I=0 F=0x4000 T=1 O=0x00000494
ip_finish_output: bad unowned skb = c0602c70: POST_ROUTING
skb: pf=2 (unowned) dev=eth0 len=32
PROTO=2 111.222.333.444:0 224.0.0.4:0 L=32 I=0 F=0x4000 T=1 O=0x00000494
I have output policy DROP, but specifically igmp is allowed and those
messages arent exactly the DROP messages
4. lance driver is getting tx timeouts when APM is enabled on Siemens
nixdorf 486sx
firewall:
network development people: suggestion: make a firewall ruleset where
everything(specifically, OUTPUT chain) is by default DROP and every
ACCEPT is added per need. Seems that it helps finding problems.
some other:
* broadcast packets sent out seem to raise alert in INPUT chain on the
same interface, of course in spoofing rules section.
* iptables screams quite often: nf_iterate: NF_DROP for c01234567.
would be nice to take it down from somewhere (where ) ?
* ipnatctl misses some docs or features, most interesting would be a
fwmark
* gated and routing:
looks like routing marks routes unavailable when there comes output
reject or deny on some packets(also on 2.2)
which may be well very systematical approach, but try to write correct
output reject rules with that.
well, it is not correct, because The Route is up if at leas one type of
packet goes trough.
* mrouted of course, dies on that, and sometimes so bad, that I have to
reboot because it starts dying periodically then. And of course, it wont
wake up sometimes on system startup stages.
besides, ideologically and practically is iptables a real fine and
systematic thing.
looking for 2.4
elmer.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:12 EST