Possible conntrack problem

[zottmann]

Hi !! 

Thank you both for your answers!! 

We are not getting any reports regarding problems with our webserver, but 
surely these logs are weird. 

We are going to try ip_conntrack_tcp_be_liberal and see what happens. By the 
way, what does it really means? 

Regards, 
Carlos. 


Em (14:15:13), Justin Schoeman escreveu: 


>Can also try: 
> 
>echo "1" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal 
> 
>Seems to help if there is a PIX between your clients and servers... 
> 
>-justin 
> 
>Sietse van Zanen wrote: 
>> This usually happens with clients behaving badly or misconfigured 
servers. 
>Very unlikely (I would say less 1% chance) to be a netfilter issue. 
>> If you don't get any reports about you webserver being unreachable or 
>unusable, all is working exactly as it should. 
>> 
>> If people do have problems with your webserver, check the configuration 
of 
>the server and clients. 
>> 
>> -Sietse 
>> 
>> ________________________________ 
>> 
>> From: netfilter-bounces at lists.netfilter.org on behalf of 
>zottmann at ig.com.br 
>> Sent: Thu 01-Jun-06 13:56 
>> To: netfilter at lists.netfilter.org 
>> Subject: Possible conntrack problem 
>> 
>> 
>> 
>> Hi !! 
>> 
>> I am having a problem that I think may be related to conntrack. 
>> 
>> I am getting dropped packets in the firewall coming from our web server, 
>> source port 80, and going to external machines on high ports, with both 
>ACK 
>> and SEQ numbers set. 
>> 
>> It seems to me that these packets are answers from our webserver to 
>> connections estabilished with it, but, for some reason, the connection 
>> information is being lost (maybe due to timeout?). 
>> 
>> How can I track this? Has anyone gone through something like it? 
>> 
>> Thanks in advance, 
>> Carlos. 
>> 
>> 
>> 
>> 
>> 
> 
>----------