Re: Weird Problem with TCP

[Denis Vlasenko]

> > > Are you using session tracking. The symptoms you describe are
> > > classically those of session tracking nat/firewalling/whatever running
> > > out of table entries and being unable to allow new connections.
> >
> > No, it is not running any session tracking (ip_conntrack) neither it
> > does nat. It is just a firewall with around 1600 rules in FORWARD
> > mangle table and around 1500 rules in FORWARD filter table. Out of
> > 1500 rules , 1377 rules are MAC filter rules.
> > And it had 3 alias address for the interface conneted to the wirelss.
>
> EEEEK! 1600? That is insane!
>
> Consider cutting your rules into sections, and jumping to other tables to
> do sections of the work. Perhaps you can filter on the start of the MAC
> address and break this into smaller sections?
>
> Also of note: MAC addresses are easily spoofed, so if you're using this to
> lock out people on wireless, forget it, it doesn't work. Get them to use

Yes. I saw MAC filtering being hacked by a teenager with WinXP.
I inflicted OpenVPN on him. Now hack *that*, boy... ;)

> tunnels (eg: ipsec) instead. The only real way MAC addresses even sort of
> work is when you're providing a hotspot, ie: where you can't guarantee the
> client to have anything apart from base wireless, and you should therefore
> keep a tight leash on users connections by either timing them out
> regularly, or making them keep open a https:// page to a login/AAA server
> (ie: a page that auto-refreshes - when they stop refreshing the page,
> consider their connection stale).
--
vda

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/