Re: Weird Problem with TCP

From: Stuart Young
Date: Thu Sep 02 2004 - 10:08:28 EST

Next message: Alan Cox: "Test Patch: Further I2O cleanups"
Previous message: Paolo Molaro: "incorrect time accouting"
In reply to: Rohit Neupane: "Re: Weird Problem with TCP"
Next in thread: Denis Vlasenko: "Re: Weird Problem with TCP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2 Sep 2004 23:33, Rohit Neupane wrote:
> On Thu, 02 Sep 2004 11:56:59 +0100, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>
wrote:
> > > * Everything works fine for about 5-10 mins then all of a sudden TCP
> > > services are not accessable.
> > > * For some reason TCP times out. However at the same time
> > > ping,traceroute and dns trace works without any problem.
> > > * The connected TCP sokets keeps working without any problem. I
> > > verified this by using Msn chat. I observerd that I chat session (
> > > which I had started when everything was normal) continued without any
> > > problem however I was not able to initiate a new chat session.
> >
> > Are you using session tracking. The symptoms you describe are
> > classically those of session tracking nat/firewalling/whatever running
> > out of table entries and being unable to allow new connections.
>
> No, it is not running any session tracking (ip_conntrack) neither it
> does nat. It is just a firewall with around 1600 rules in FORWARD
> mangle table and around 1500 rules in FORWARD filter table. Out of
> 1500 rules , 1377 rules are MAC filter rules.
> And it had 3 alias address for the interface conneted to the wirelss.

EEEEK! 1600? That is insane!

Consider cutting your rules into sections, and jumping to other tables to do
sections of the work. Perhaps you can filter on the start of the MAC address
and break this into smaller sections?

Also of note: MAC addresses are easily spoofed, so if you're using this to
lock out people on wireless, forget it, it doesn't work. Get them to use
tunnels (eg: ipsec) instead. The only real way MAC addresses even sort of
work is when you're providing a hotspot, ie: where you can't guarantee the
client to have anything apart from base wireless, and you should therefore
keep a tight leash on users connections by either timing them out regularly,
or making them keep open a https:// page to a login/AAA server (ie: a page
that auto-refreshes - when they stop refreshing the page, consider their
connection stale).

--
Stuart Young (aka Cef)
cef-lkml@xxxxxxxxxxxxxxx is for LKML and related email only
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Test Patch: Further I2O cleanups"
Previous message: Paolo Molaro: "incorrect time accouting"
In reply to: Rohit Neupane: "Re: Weird Problem with TCP"
Next in thread: Denis Vlasenko: "Re: Weird Problem with TCP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]