Re: (iptables) ip_conntrack bug?

• Next message: Gary Lawrence Murphy: "Re: RFC: "SubmittingPatches" text"
• Previous message: Werner Almesberger: "[PATCH] BTTV radio with non-modular 2.4 kernel"
• Next in thread: Rusty Russell: "Re: (iptables) ip_conntrack bug?"
• Maybe reply: Rusty Russell: "Re: (iptables) ip_conntrack bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <20001115154603.D4089@psuedomode> you write:
> I was DDoS'd today while away and came home to find the firewall unable to
> do anything network related (although my connection to irc was still
> working oddly). a quick dmesg showed the problem.
> ip_conntrack: maximum limit of 2048 entries exceeded
> NET: 1 messages suppressed.
> ip_conntrack: maximum limit of 2048 entries exceeded
> NET: 3 messages suppressed.
> ip_conntrack: maximum limit of 2048 entries exceeded
> NAT: 0 dropping untracked packet c1e69980 6 192.168.1.2 -> 206.251.7.30
> ip_conntrack: maximum limit of 2048 entries exceeded
> NAT: 0 dropping untracked packet c1e69b60 6 192.168.1.2 -> 206.251.7.30
> ip_conntrack: maximum limit of 2048 entries exceeded

Yes, I added connection assurance (which provides much more
intelligence about which connections should be dropped,
ie. established TCP connections get assured) in test6, for exactly
this reason.

Hope that helps,
Rusty.

--
Hacking time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Gary Lawrence Murphy: "Re: RFC: "SubmittingPatches" text"
• Previous message: Werner Almesberger: "[PATCH] BTTV radio with non-modular 2.4 kernel"
• Next in thread: Rusty Russell: "Re: (iptables) ip_conntrack bug?"
• Maybe reply: Rusty Russell: "Re: (iptables) ip_conntrack bug?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Nov 23 2000 - 21:00:11 EST