On Sunday 16 June 2002 14:12, alex wrote: > I'm running a NAT'ed firewall on my gateway box and recently I've > been having problems with the connection chocking and I have been > unable to ssh onto the box to see what was going on. I think (as > I've not got loads of memory) its probably due to the maximum > number of tracked connections being exceeded (the logs show > ip_conntrack droping new conenction). > > However I'm still unsure as to why I couldn't shell onto the box. > After all the ssh connection doesn't need to tracked as it > terminates on that box (and should't go through any of the -t nat > tables). Or am I misunderstanding the workings of conntrack?
conntrack currently tracks every connection. Does not matter if you actually use any features depending on conntrack for the connection or not. If you don't have too much memory in the netfilter box then you most likely will need to instruct conntrack to use a bigger connection tracking table, best set by increasing the hash size. (hashsize= module argument) Regards Henrik
