[Bug 511] Premature ip_conntrack timer expiry on 3+ window size
advertisements
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Wed Sep 20 00:33:22 CEST 2006
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=511
------- Additional Comments From georgeh at anstat.com.au 2006-09-20 00:33 MET -------
Signed-off-by: George Hansper
For the record, there are 2 work-arounds for this bug:
1/. Don't use connection tracking, use a "stateless" packet-filter rule instead
eg on the tomcat-server
iptables -A INPUT -p tcp -s apache-server --dport 8009 -j ACCEPT
iptables -A OUTPUT -p tcp -d apache-server --sport 8009 ! --syn -j ACCEPT
-- or --- (nicer)
2/. tweak the setting:
echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the netfilter-buglog
mailing list