From: Darrell A Escola <darrell-sg@descola.net>
To: linux-kernel@vger.kernel.org
Cc: Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: iptables in 2.4.10, 2.4.11pre6 problems
Date: Fri, 19 Oct 2001 06:18:30 -0700 [thread overview]
Message-ID: <20011019061830.A8087@descola.net> (raw)
In-Reply-To: <1002646705.2177.9.camel@aurora> <Pine.LNX.4.33.0110091005540.209-100000@desktop> <20011010135503.4f5c06b9.rusty@rustcorp.com.au>
In-Reply-To: <20011010135503.4f5c06b9.rusty@rustcorp.com.au>
I have been running 2.4.10-ac11 for 7 days now with
TCP_CONNTRACK_CLOSE_WAIT set to 120 seconds - this has stopped nearly
all firewall activity on established connections.
I use "mc" extensively for ftp, and previously would get numerous blocks
after closing a session or starting another ftp session with the same
instance of "mc".
What would we need to do to make these values tuneable either via
insmod/modprobe or /proc?
Darrell
On Wed, Oct 10, 2001 at 01:55:03PM +1000, Rusty Russell wrote:
> On Tue, 9 Oct 2001 10:07:05 -0700 (PDT)
> "Jeffrey W. Baker" <jwbaker@acm.org> wrote:
> > On 9 Oct 2001, Trever L. Adams wrote:
> > > I am seeing messages such as:
> > > Oct 9 12:52:51 smeagol kernel: Firewall:IN=ppp0 OUT= MAC=
> > > SRC=64.152.2.36 DST=MY_IP_ADDRESS LEN=52 TOS=0x00 PREC=0x00 TTL=246
> > > ID=1093 DF PROTO=TCP SPT=80 DPT=33157 WINDOW=34752 RES=0x00 ACK FIN
> > > URGP=0
> > >
> > > In my firewall logs. I see them for ACK RST as well. These are valid
> > > connections. My rules follow for the most part (a few allowed
> > > connections to the machine in question have been removed from the
> > > list). This often leaves open connections in a half closed state on
> > > machines behind this firewall. It also some times kills totally open
> > > connections and I see packets rejected that should be allowed through.
> >
> > I see this too. iptables is refusing packets on locally-initiated TCP
> > connections when the RELATED,ESTABLISHED rule should be letting them
> > through.
>
> Yes, but it has forgotten them. Play with the TCP timeout numbers in
> net/ipv4/netfilter/ip_conntrack_proto_tcp.c. Especially the 60 seconds for
> TCP_CONNTRACK_CLOSE_WAIT for the ACK FIN case. These numbers were stolen
> from the 2.0 and 2.2 masq code, which had real world testing (but didn't
> report failures, so...)
>
> Given some actual feedback on appropriate numbers, this can be fed as a
> patch to Linus...
>
> Hope that helps,
> Rusty.
next prev parent reply other threads:[~2001-10-19 13:18 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-09 16:58 iptables in 2.4.10, 2.4.11pre6 problems Trever L. Adams
2001-10-09 17:07 ` Jeffrey W. Baker
2001-10-09 17:30 ` Trever L. Adams
2001-10-09 18:31 ` Jeffrey W. Baker
2001-10-09 18:40 ` Trever L. Adams
2001-10-09 20:48 ` Jeffrey W. Baker
2001-10-09 22:00 ` Trever L. Adams
2001-10-09 22:46 ` Luigi Genoni
2001-10-09 22:49 ` Trever L. Adams
2001-10-09 23:02 ` Luigi Genoni
2001-10-09 23:05 ` Jeffrey W. Baker
2001-10-09 23:40 ` Luigi Genoni
2001-10-10 8:45 ` Sebastian Benoit
2001-10-10 3:55 ` Rusty Russell
2001-10-19 13:18 ` Darrell A Escola [this message]
2001-10-24 4:25 ` Rusty Russell
2001-10-28 16:45 ` Michael Rash
2001-10-09 17:40 ` Wilson
2001-10-09 18:43 ` Trever L. Adams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20011019061830.A8087@descola.net \
--to=darrell-sg@descola.net \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox