On Tuesday 21 May 2002 8:33 am, Wojciech Sobola wrote: > Hello, > > I've been using ipt 1.2.6a for 2 month's. There's seem to be a problem in > /proc/net/ip_conntrack. I have chains here, that can't be cleared out.
> Example: > tcp 6 321156 ESTABLISHED src=63.218.135.142 dst=62.xx.x.44 sport=63920 > dport=80 [UNREPLIED] src=192.168.101.2 dst=63.218.135.142 sport=80 > dport=63920 use=1 > > Such table can stay even 2 or 3 days. The standard TCP timeout on an ESTABLISHED connection is 5 days. I have no idea why this was once thought to be a good idea, but it is now in the standards. You could change it and recompile your kernel if you want, but this is the reason you are seeing these connections for 2 or 3 days - they're not even halfway to timing out yet :-) Also, once a connection is in the conntrack table, you cannot get rid of it by doing anything at all to your netfilter rules. If you compiled modules you can remove and reinstall the ip_conntrack module, but if you use a monolithic kernelonly a reboot willget these out of the table. Antony.
