NOTRACK action question
rob0 at gmx.co.uk
Wed Aug 24 23:34:00 CEST 2005
On Wednesday 2005-August-24 13:23, Gary W. Smith wrote:
> We are NAT'ing an IP range to a set of internal Apache servers.
> Looking into the conntrack table we are seeing a bunch of entries on
> port 80, which make sense. One of the web server clusters is getting
> about 1m hits a day which is starting to cause a significant jump in
> conntrack entries. My question is do we really need to track those?
It would depend on your configuration. Oh you said NAT, DNAT I guess.
IIUC DNAT does depend on connection tracking. Perhaps you should put
your Apache reservation in a routed (not DNAT'ed) subnet.
> I would assume no. But when I add a NOTRACK rule to the raw table
> Apache suddenly fails to serve the pages to external clients.
Then your assumption would seem to be in error.
> Am I doing something wrong?
If it's not working, and you want it to work, yes. :)
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter