Re: Possible problem with netfilter / shorewall?
I have a similar problem: my Router runs OpenWRT. When i have too many
connections open (~500) the router "hangs", i.e. no other connections are
accepted. the problem vanishes when the number of connections decreases (by
timeout). I can reduce the problem by setting short timeout (10 minutes
insted of 60) for NAT connections - but I can't get rid of it. It doesn't
look like a memory problem, as there is enough free (~5MB from ~13).
Am Dienstag, 29. Mai 2007 15:27 schrieb Andy Simpkins:
> I hope this is the right place to post this.
> I have a debian box out in a datacenter that (amongst other things) is used
> as a mail server. On particular office (behind a NAT firewall) access'
> user email relatively often (about 20 users imapd-ssl).
> Every so often these users from that site stop being able to access their
> email (and web services hosted on the same box sharing the same IP
> address). The frequency of failures ranges from a couple of days to a
> couple of weeks.
> It happened again this morning. On a previous occasion I was able to
> determine that the problem ONLY occurs if accessing from this office (i.e.
> >from behind the office's NAT router), accessing the box from other IP
> address's (even from the same ISP and same subnet) continued fine. The
> problem was also NOT the office NAT router (confirmed by rebooting the NAT
> router). Then I resolved the problem by rebooting our box in the data
> With todays problem I had a little more time to investigate the problem and
> was able to tie it down to the firewall on the datacentre box (shorewall
> running on debian etch kernel 2.6.18-4-amd64). Restarting shorewall caused
> the problem to go away.
> My gut feeling is that there is a problem with shorewall / net filter.
> Specifically to do with multiple simultaionious sessions FROM a given IP
> address (i.e. the NAT firewall at the office in question - which by the way
> is another debian box). I suspect the problem is caused by too many open
> connections from a given IP (perhaps to a specific port)?
> 1) What logging information should I be looking at to test this
> 2) Has anyone come across a similar problem, and if so how did you
> overcome it?
> Kind regards