httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Suominen <gene...@eepatents.com>
Subject [users@httpd] Crazy Apache/Shorewall Problem
Date Sat, 13 Mar 2004 04:04:32 GMT
 I have spent an embarassingly large number of hours today trying to get
 Apache to serve stuff through iptables as configured by the Shorewall
firewall package.
 
 After much logging, shorewall reloading, and packet sniffing, I found that
 my router (192.168.254.254) is sending ICMP packets back to me when big
 files are requested by some (but not all?!?!?) clients:
 
 Mar 12 19:45:51 [kernel] DEBUG:IN
 IN=eth1 OUT= 
 MAC=<whatever> SRC=192.168.254.254 DST=192.168.254.1
 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=22404 DF
 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.254.1 DST=69.57.157.43 LEN=1520
 TOS=0x00 PREC=0x00 TTL=63 ID=54196 FRAG:64 PROTO=TCP ]
 MTU=1492
 
 The type and code mean "Fragmentation needed but no frag. bit set."
 
 Shorewall drops ICMP packets, so I had to add the following
 to /etc/shorewall/start:
 
 iptables -I INPUT -i eth1 -s 192.168.254.254 -p icmp --icmp-type 3 -j
ACCEPT
 
 Presumably, no one will be able to make my router send malicious ICMP
 packets of type 3, all codes of which look pretty benign.
 
 Not really asking for any help here, but curious if anyone knows of a fix
 for the ICMP junk and if anyone has ever heard of this.
 
 -- 
 Ed Suominen
 Registered Patent Agent 
 Open Source Developer (Yes, both...)
 Web Site: http://www.eepatents.com



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message