Interesting problem with conntrack and ftp

[Alexander Samad]

Hi

I was resently setting up my new firewall usimng openwrt on a linksys.

I got around to setting up my adsl connection and added into my iptables
these commands



$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -t filter -A FORWARD -o $WANADSL -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPT -t nat -A POSTROUTING -o $WANADSL -j MASQUERADE

which is what I have normally done.

http traffic worked well, but ftp of large files, timed out, sign of a
mtu problem. It worked when I ftp'ed from the firewall, but not when I
did it from behind the firewall.

When I did some tcpdumps, I noticed that the second connection created
by the client wasn't being clamp'ed.

The way I figure it was that the second connection was related to the
first one, and thus being consumed by the first line in iptables (above)

Once I changed the order of line 1 and 2 every thing worked fine.

Now openwrt uses 2.4.30, and my previous firewall used 2.6 and I believe
it was setup as shown above and it worked fine.

The other difference is that conntrack_ftp is compiled into the kernel.

Is this a know feature/bug ? why has it worked in 2.6 and not in 2.4 or
is the problem in compiled in and as a module

Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter-devel/attachments/20060317/622b0222/attachment.pgp