From: Steven M Campbell <Netfilter@SCampbell.net>
To: netfilter@lists.netfilter.org
Subject: Re: It seems I've found why conntrack blocks some packets
Date: Fri, 31 Mar 2006 08:43:42 -0500 [thread overview]
Message-ID: <442D320E.7070301@SCampbell.net> (raw)
In-Reply-To: <442D2C8F.1020505@SCampbell.net>
Steven M Campbell wrote:
> We know from the message that we fell off of the end of the FORWARD
> chain (because the --log-prefix "FORWARD blocked: " is the only one to
> match the message....
>
>
One other thought to this, if I were to presume the ${variables} and ...ip's then I would presume that the RELATED rules should allow these ack's to go through. The only reason I know of for them not do (again, assuming all the addressing is really ok) would be that the conntrack table has filled up.
To see the maximum connnections that can be tracked:
# cat /proc/sys/net/ipv4/ip_conntrack_max
32760
To see how many you are using at a given moment
# wc -l /proc/net/ip_conntrack
16 /proc/net/ip_conntrack
This from my house and there really isn't all that much going on, I would expect far larger counts, you may need to up ip_conntrack_max. This really out in the SWAG arena because I can't see the details of your installation.
next prev parent reply other threads:[~2006-03-31 13:43 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-30 5:13 It seems I've found why conntrack blocks some packets Gary W. Smith
2006-03-30 14:01 ` Carlos Pastorino
2006-03-31 13:20 ` Steven M Campbell
2006-03-31 13:43 ` Steven M Campbell [this message]
2006-04-01 20:59 ` Carlos Pastorino
2006-04-02 4:08 ` Steven M Campbell
2006-04-04 12:36 ` Carlos Pastorino
2006-04-05 14:55 ` Steven M Campbell
2006-04-06 18:33 ` Carlos Pastorino
2006-04-01 20:46 ` Carlos Pastorino
-- strict thread matches above, loose matches on Subject: below --
2006-03-29 13:45 Carlos Pastorino
2006-03-29 13:52 ` Steven M Campbell
2006-03-29 15:11 ` Roger Hamilton
2006-03-29 15:17 ` Steven M Campbell
2006-03-29 18:04 ` Carlos Pastorino
2006-03-30 5:05 ` Carlos Pastorino
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=442D320E.7070301@SCampbell.net \
--to=netfilter@scampbell.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.