Witam,
Jest to wycinek prostego firewall'a na svr z jednym eth. Problem polega
na dlugim zestawianiu polaczenia.
Niezaleznie na jaki port z ICP_IN_ALLOW lacze sie, musze czekac 10s
(widac to na logu z tcpdump'a)

Prosze o jakas wskazowke.

---- firewall
/usr/sbin/iptables -F
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP

(1) iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED,RELATED
(2) iptables -A OUTPUT -p tcp -j ACCEPT -m state --state ESTABLISHED,RELATED
(3) TCP_IN_ALLOW=21,22,25,53,23,110,587,137,138,139
(4) iptables -A INPUT -i eth0 -p tcp --src 192.168.1.0/24 -j ACCEPT -m
state --state NEW -m multiport --destination-port $TCP_IN_ALLOW

---- dcpdump
15:15:22.818275 dawid.nfsd-status > haagen.telnet: S
2964896484:2964896484(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:15:22.818357 haagen.telnet > dawid.nfsd-status: S
1688749555:1688749555(0) ack 2964896485 win 5840 <mss 1460,nop,nop,sackOK>
(DF)
15:15:22.818450 dawid.nfsd-status > haagen.telnet: . ack 1 win 64240 (DF)
15:15:32.818047 haagen.telnet > dawid.nfsd-status: P 1:13(12) ack 1 win 5840
(DF) [tos 0x10]
15:15:32.818309 dawid.nfsd-status > haagen.telnet: P 1:7(6) ack 13 win 64228
(DF)

Received on Wed May 12 18:10:54 2004