[CentOS] conntrack-tools and Session syncing
Robert Spangler
mlists at zoominternet.net
Sun Aug 10 14:04:37 UTC 2008
On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote:
> That works as expected. If e.g. I ping from an inside server to somewhere
> outside, ICMP request leaves via router2, the answer comes back via
> router1. conntrack -e on router1 shows this session (as unreplied), BUT
> the firewall blocks it as new connection - that means iptables does not
> recognize conntrackd's addition to the session table.
First off if you have traffic leaving one router and coming back on another
router that is Asynchronous routing and is not a good thing, as you are
seeing.
Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going to
block this traffic as it was setup to do. Firewall 1 is thinking this is a
new connection.
Since I don't know your setup my question is;
1. how many Internet connections do you have?
2. does router 2 have a valid public ip on the interface connecting to the
Internet?
--
Regards
Robert
Smile... it increases your face value!
Linux User #296285
http://counter.li.org
More information about the CentOS
mailing list