Possible conntrack problem
zottmann at ig.com.br
Sat Jun 3 20:53:58 CEST 2006
Thank you both for your answers!!
We are not getting any reports regarding problems with our webserver, but
surely these logs are weird.
We are going to try ip_conntrack_tcp_be_liberal and see what happens. By the
way, what does it really means?
Em (14:15:13), Justin Schoeman escreveu:
>Can also try:
>echo "1" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
>Seems to help if there is a PIX between your clients and servers...
>Sietse van Zanen wrote:
>> This usually happens with clients behaving badly or misconfigured
>Very unlikely (I would say less 1% chance) to be a netfilter issue.
>> If you don't get any reports about you webserver being unreachable or
>unusable, all is working exactly as it should.
>> If people do have problems with your webserver, check the configuration
>the server and clients.
>> From: netfilter-bounces at lists.netfilter.org on behalf of
>zottmann at ig.com.br
>> Sent: Thu 01-Jun-06 13:56
>> To: netfilter at lists.netfilter.org
>> Subject: Possible conntrack problem
>> Hi !!
>> I am having a problem that I think may be related to conntrack.
>> I am getting dropped packets in the firewall coming from our web server,
>> source port 80, and going to external machines on high ports, with both
>> and SEQ numbers set.
>> It seems to me that these packets are answers from our webserver to
>> connections estabilished with it, but, for some reason, the connection
>> information is being lost (maybe due to timeout?).
>> How can I track this? Has anyone gone through something like it?
>> Thanks in advance,
More information about the netfilter