BIG problem with fiaif and many interfaces

[postmaster]

Paolo Prandini wrote:
> I found a BIG ( at least for me ) problem with fiaif if
> you have many ( at least 2 ) interfaces, that is quite
> common with a firewall.
> If you have a server process that is listening on 0.0.0.0
> ( all the interfaces ) for udp/tcp packets coming to a port ( eg.
> port 53) it correctly receives the packets BUT when it sends
> back an answer packet the origin port is not anymore port 53
> but an ephemereal port and if the receiver checks it nothing
> works. This is not due to the particular server process, I
> tried it with named, with asterisk, with mysql and so on.
> If I bind the process to a given address everything works
> correctly; with named I specify all the addresses I want it to
> listen on and I am set. But with many other daemons you can
> give only one address! With asterisk I am stuck!
> If I switch fiaif off everything works; if I use another
> firewall generator, e.g. shorewall, everything works; if I change
> kernel from 2.4 to 2.6 no change, it doesn't work correctly.
> The only thing that makes the difference is fiaif; no fiaif, ok,
> with fiaif, bad luck. But I want to use fiaif! I like it!
> There must be some rule in iptables, inserted by fiaif, that
> causes this weird behaviour.
> I am available for any tests, of course. I need some hints about
> where the problematic rules could be...
> Thanks
> Paolo

Binding services to a specific interface / port should make no
difference. I would rather thing that there is a misconfiguration
somewhere.

Can you perhaps send me a wireshark trace (or TCPDUMP), which shows the
problem and one which shows how it should be along with you configration
files, and I will look into it.

Regards
Anders Fugmann

> _______________________________________________
> fiaif mailing list
> fiaif at fiaif.net
> https://www.fiaif.net/mailman/listinfo/fiaif
>