A few revisions back of the 2.0 kernel (I think it started with 2.0.25), I
started noticing problems establishing ftp connections out of the firewall
to some hosts running these later versions of the kernel. I could
connect, but would take a TCP timeout to get to a prompt (15 minutes).
I found out that the reason was because these later versions implemented a
more strict check on ICMP_PORT_UNREACH packets (adding a match=1; in the
switch in icmp.h). The firewall was setup with a rule to reject auth
connections from outside (for privacy reasons). Well, some ftp servers
try to do an auth query when they get a connection, and the firewall was
sending a ICMP_PORT_UNREACH packet, but the kernel on the server ignored
it because the source address was the address of the firewall machine, and
not of the destination machine.
I think that the firewall code should fake the ICMP packets from matched
reject firewall rules to look like they came from the destination machine,
and not the firewall. Anybody else?
-- | Evan Harris - Consultant, Harris Enterprises - eharris@puremagic.com | | Custom Solutions for your Software, Networking, and Telephony Needs