Re: iptables conntrack: packets not matching a rule occasionally?

To: debian-isp@lists.debian.org
Subject: Re: iptables conntrack: packets not matching a rule occasionally?
From: Håkon Alstadheim <hakon@alstadheim.priv.no>
Date: Tue, 07 Aug 2007 23:21:49 +0200
Message-id: <[🔎] 46B8E26D.10500@alstadheim.priv.no>
In-reply-to: <[🔎] 20070801230634.GA22279@schiffbauer.lan>
References: <[🔎] 20070801135024.GA14679@schiffbauer.lan> <[🔎] 46B09D77.2030609@genac.org> <[🔎] 20070801230634.GA22279@schiffbauer.lan>

Marc Schiffbauer wrote:

* Héctor González schrieb am 01.08.07 um 16:49 Uhr:

You might try a rule to match "state INVALID", and see if it catches
them.  It might be someone probing your firewall.


makes sense. The new rule matches those packets indeed.

Seems like I did not pay enough attention to the TCP flags.

Conntrack has a timeout and a limit to the max number of connections itcan remember. I believe it can be adjusted with some setting in /proc orsomewhere. Check the documentation in /usr/src/linux/Documentation.Anyway, really slow/long-lived web sessions might get caught as invalidbecause of this.

Reply to:

Follow-Ups:
- Re: iptables conntrack: packets not matching a rule occasionally?
  - From: Marc Schiffbauer <marc@schiffbauer.net>

References:
- iptables conntrack: packets not matching a rule occasionally?
  - From: Marc Schiffbauer <marc@schiffbauer.net>
- Re: iptables conntrack: packets not matching a rule occasionally?
  - From: Héctor González <cacho@genac.org>
- Re: iptables conntrack: packets not matching a rule occasionally?
  - From: Marc Schiffbauer <marc@schiffbauer.net>

Prev by Date: Re: amavis-new not adding X-Spam-Status header
Next by Date: Re: iptables conntrack: packets not matching a rule occasionally?
Previous by thread: Re: iptables conntrack: packets not matching a rule occasionally?
Next by thread: Re: iptables conntrack: packets not matching a rule occasionally?
Index(es):
- Date
- Thread