Slightly delayed dns response packets getting delayed

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Slightly delayed dns response packets getting delayed - how to handle them?
@ 2004-04-22 22:05 Shaun T. Erickson
  0 siblings, 0 replies; 2+ messages in thread
From: Shaun T. Erickson @ 2004-04-22 22:05 UTC (permalink / raw)
  To: netfilter

I have an RH9 system with three nics: 1 WAN & 2 LANs. One lan is really 
locked down - the only thing allowed into it are responses to traffic 
initiated frm that lan.

The DNS server is on the other LAN. I'm seeing occaisional dns packets 
being blocked from entering the locked down LAN. My assumption, correct 
or not, is that these are slightly delayed packets that are arriving 
after the state has been torn down, and they are thus blocked. I see 
something like 30 or so of these every 8 hours or so.

Is this something people see a lot? If so, what is the best way to dal 
with it?

	-ste

^ permalink raw reply	[flat|nested] 2+ messages in thread

* RE: Slightly delayed dns response packets getting delayed - how to handle them?
@ 2004-04-22 22:26 Daniel Chemko
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Chemko @ 2004-04-22 22:26 UTC (permalink / raw)
  To: ste, netfilter

Shaun T. Erickson wrote:
> I have an RH9 system with three nics: 1 WAN & 2 LANs. One lan is
> really locked down - the only thing allowed into it are responses to
> traffic initiated frm that lan.
> 
> The DNS server is on the other LAN. I'm seeing occaisional dns packets
> being blocked from entering the locked down LAN. My assumption,
> correct or not, is that these are slightly delayed packets that are
> arriving after the state has been torn down, and they are thus
> blocked. I see something like 30 or so of these every 8 hours or so.
> 
> Is this something people see a lot? If so, what is the best way to dal
> with it?

If you're using a POM patched kernel, you could change the timeout
values of:
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
These are measured in seconds.

The actual reason for taking so long between responses is strange
though. You can't really stop these packets from happening though.
Another way to handle them is to not log the packets and feel
comfortably numb. If you really want to be anal about it, you may want
to ethereal the interface and analyze the packets that're generating the
problem. 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-04-22 22:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-22 22:05 Slightly delayed dns response packets getting delayed - how to handle them? Shaun T. Erickson
  -- strict thread matches above, loose matches on Subject: below --
2004-04-22 22:26 Daniel Chemko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox