Marc Schiffbauer wrote:
Conntrack has a timeout and a limit to the max number of connections it can remember. I believe it can be adjusted with some setting in /proc or somewhere. Check the documentation in /usr/src/linux/Documentation. Anyway, really slow/long-lived web sessions might get caught as invalid because of this.* Héctor González schrieb am 01.08.07 um 16:49 Uhr:You might try a rule to match "state INVALID", and see if it catches them. It might be someone probing your firewall.makes sense. The new rule matches those packets indeed. Seems like I did not pay enough attention to the TCP flags.