Re: iptables conntrack: packets not matching a rule occasionally?
Marc Schiffbauer wrote:
Conntrack has a timeout and a limit to the max number of connections it
can remember. I believe it can be adjusted with some setting in /proc or
somewhere. Check the documentation in /usr/src/linux/Documentation.
Anyway, really slow/long-lived web sessions might get caught as invalid
because of this.
* Héctor González schrieb am 01.08.07 um 16:49 Uhr:
You might try a rule to match "state INVALID", and see if it catches
them. It might be someone probing your firewall.
makes sense. The new rule matches those packets indeed.
Seems like I did not pay enough attention to the TCP flags.