ipconntrack

ipconntrack

[www.piratehosting.net]

i run 2 irc servers for a small hosting company.
ip contrack gets full all the time no matter what limits i set 
echo 40192 > /proc/sys/net/ipv4/ip_conntrack_max

My question is:
can i safely remove ip conntrack all together?
rmmod ip_conntrack
rmmod ip_conntrack_ftp
rmmod ip_conntrack_irc
rmmod ip_conntrack
rmmod ipt_state

I dont really understand what it does but the table keep filling up im
sure its some kinda attact on my servers.
does it do anything at all i use a simple firewall (apf) and only these rules.
in
/etc/sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1

-- 
www.piratehosting.net

Re: ipconntrack

[Jose Maria Lopez]

El dom, 03 de 10 de 2004 a las 10:41, www.piratehosting.net escribió:
> i run 2 irc servers for a small hosting company.
> ip contrack gets full all the time no matter what limits i set 
> echo 40192 > /proc/sys/net/ipv4/ip_conntrack_max
> 
> My question is:
> can i safely remove ip conntrack all together?
> rmmod ip_conntrack
> rmmod ip_conntrack_ftp
> rmmod ip_conntrack_irc
> rmmod ip_conntrack
> rmmod ipt_state
> 
> I dont really understand what it does but the table keep filling up im
> sure its some kinda attact on my servers.
> does it do anything at all i use a simple firewall (apf) and only these rules.
> in
> /etc/sysctl.conf
> net.ipv4.icmp_echo_ignore_broadcasts = 1
> net.ipv4.icmp_echo_ignore_all = 1
> net.ipv4.tcp_max_syn_backlog = 1024
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.tcp_syncookies = 1

The more logical way of acting is looking at your logs and
identify the connections that you think are fulling your
ip_conntrack table, surely they are connections to port 445,
135,139 and similars. If you don't need this ports you should
DROP them in your firewall. If you really have so much connections
that you can't really use conntrack, something I find improbable,
then you can deactivate it the way you say, but I advise you not
to do it, better tune your firewall to have less connections.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: ipconntrack

[Jason Opperisano]

On Sun, 2004-10-03 at 04:41, www.piratehosting.net wrote:
> i run 2 irc servers for a small hosting company.
> ip contrack gets full all the time no matter what limits i set 
> echo 40192 > /proc/sys/net/ipv4/ip_conntrack_max
> 
> My question is:
> can i safely remove ip conntrack all together?
> rmmod ip_conntrack
> rmmod ip_conntrack_ftp
> rmmod ip_conntrack_irc
> rmmod ip_conntrack
> rmmod ipt_state
> 
> I dont really understand what it does but the table keep filling up im
> sure its some kinda attact on my servers.
> does it do anything at all i use a simple firewall (apf) and only these rules.
> in
> /etc/sysctl.conf
> net.ipv4.icmp_echo_ignore_broadcasts = 1
> net.ipv4.icmp_echo_ignore_all = 1
> net.ipv4.tcp_max_syn_backlog = 1024
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.tcp_syncookies = 1

i'm beginning to think that you have a horribly misconfigured irc
server.  do you really have 40,000 simultaneous IRC connections?

-j

-- 
Jason Opperisano <opie@817west.com>

ipconntrack

[www.piratehosting.net]

no but they dont seem to expire for 5 days so with many ircds on one
server they fill up fast from the traffic they pull in

-- 
www.piratehosting.net