[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables conntrack: packets not matching a rule occasionally?

Marc Schiffbauer wrote:
* Héctor González schrieb am 01.08.07 um 16:49 Uhr:
You might try a rule to match "state INVALID", and see if it catches
them.  It might be someone probing your firewall.

makes sense. The new rule matches those packets indeed.

Seems like I did not pay enough attention to the TCP flags.

Conntrack has a timeout and a limit to the max number of connections it can remember. I believe it can be adjusted with some setting in /proc or somewhere. Check the documentation in /usr/src/linux/Documentation. Anyway, really slow/long-lived web sessions might get caught as invalid because of this.

Reply to: