martin f krafft wrote:
also sprach Blair Strang <[EMAIL PROTECTED]> [2005.03.15.1245 +0100]:
I am guessing the problem is elsewhere. What does /proc/net/ip_conntrack say the kernel is expecting?
The UDP "connection" is not listed. Someone else told me in private mail that DNS is special, but I do not see anything special about the following:
16:27:15.369276 217.233.52.92.62406 > 217.237.151.97.53: 21533+ A? debian.org. (28) (DF) 16:27:15.424481 217.237.151.97.53 > 217.233.52.92.62406: 21533 1/0/0 A 192.25.206.10 (44)
The corresponding ip_contrack entry:
udp 17 27 src=217.233.52.92 dst=217.237.151.97 sport=62406 dport=53 packets=1 bytes=67 src=217.237.151.97 dst=217.233.52.92 sport=53 dport=62406 packets=1 bytes=115 mark=0 use=1
This looks all good and fine. Whenever I get log entries generated by iptables, it seems that they are some sort of spurious responses by the servers, or else iptables would let them through.
Of course right now there aren't any. However, I have seen this for years and always wondered...
Sorry I didn't understand from your original post that this was only happening occasionally. Duh! Perhaps look into ip_conntrack_max? Conntrack stress can be triggered by an nmap scan, heavy worm traffic, low memory, very busy fw etc etc.
Regards
Blair.
-- [WARNING: A meme virus was detected in this signature. It has been cleaned by MemeSweeper(tm) 4.0]
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
