kernel: ip_conntrack: table full, dropping packet.
Dear suse-security list, I had this problem : kernel: ip_conntrack: table full, dropping packet. I found this solution : sysctl -w net.ipv4.ip_conntrack_max="32768" After i restart susefirewall2 the value off ip_conntrack_max is back to default 16k . How can i solve this ?? Best regards, Peter. --------------------------------------------------------------------------- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. ---------------------------------------------------------------------------
On Wednesday 08 September 2004 16:46, peter.kanters@nl.abnamro.com wrote:
Dear suse-security list,
I had this problem : kernel: ip_conntrack: table full, dropping packet. I found this solution : sysctl -w net.ipv4.ip_conntrack_max="32768"
After i restart susefirewall2 the value off ip_conntrack_max is back to default 16k . How can i solve this ??
Best regards, Peter.
Hello Peter echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max Still, you should consider adding this at your firewall script in /etc/sysconfig/scripts, so it can be loaded automatically after every reboot/flush/etc. Josephine
On Wednesday 08 September 2004 07:33 am, Josephine wrote:
On Wednesday 08 September 2004 16:46, peter.kanters@nl.abnamro.com wrote:
Dear suse-security list,
I had this problem : kernel: ip_conntrack: table full, dropping packet. I found this solution : sysctl -w net.ipv4.ip_conntrack_max="32768"
After i restart susefirewall2 the value off ip_conntrack_max is back to default 16k . How can i solve this ??
Best regards, Peter.
Hello Peter
echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max
Still, you should consider adding this at your firewall script in /etc/sysconfig/scripts, so it can be loaded automatically after every reboot/flush/etc.
Josephine
Or perhaps finding out why you have this problem in the first place. I've often seen this when there is an infected windows box behind the Linux firewall... -- _____________________________________ John Andersen
Hi, I'm still having the problem, after the machine (SuSE 9.0, SuSEfirewall2) is up for about 30 days, although I did: echo 65535 > /proc/sys/net/ipv4/ip_conntrack_max Even more strange - when I do cat /proc/net/ip_conntrack | wc -l I usally get something like 1500, which does look quite normal to me. So the only solution seem to be to reboot the system every 30 days? Isn't there anything else I can do? Will upgrading to kernel 2.6 possibly fix this? Greetings, Ralf
Hi,
I'm still having the problem, after the machine (SuSE 9.0, SuSEfirewall2) is up for about 30 days, although I did:
echo 65535 > /proc/sys/net/ipv4/ip_conntrack_max
Even more strange - when I do cat /proc/net/ip_conntrack | wc -l
I usally get something like 1500, which does look quite normal to me.
So the only solution seem to be to reboot the system every 30 days? Isn't there anything else I can do? Will upgrading to kernel 2.6 possibly fix this?
Possibilities for this: external portscanns too much rulessets pc with 2 much connections (e.g. p2p) * infected redmond (tm) pc with worm (*) decrease numer of connections and disable master-node functionality. This is the #1 reason for full tables! First check if there is no infected Box in you network filling the tables with trash-data (check with ip-traf, if there is enormous traffic on your firewall from one internal ip or if you get DoS from external). Or use Etherreal and check, if there is an enormous big amount of traffic on one IP or a MAC-Spoofer or a defect network card or hub. Afterwards a good medicine to Redmond (TM) for better security: - switch to firefox & Thunderbird - restrict usage of IE to Admins only - don't work as Admin on the PC's or anyone else - install an up2date virusscanner (e.g. www.free-av.de) with autoupdate - run the service-deinstaller from ccc: http://www.dingens.org/ !!!Warning, this script deactivates AD-functionality and is at you own risk, rtfm before installing the patch!!! !!!This patch may speedup your pc and increase security!!! Reguards Philippe
Hi Philippe, Philippe Vogel wrote:
Possibilities for this:
external portscanns too much rulessets pc with 2 much connections (e.g. p2p) * infected redmond (tm) pc with worm
(*) decrease numer of connections and disable master-node functionality. This is the #1 reason for full tables!
first of all thanks for you answer. There is a Web-Server behind the box, that has many connections and also quite a lot of traffic. I also do have many rules - SuSEfirewall2 seems to create a lot of rules from the rules I've entered in it's syntax. But how can I check how close to the message "ip_conntrack: table full, dropping packet" I am, when counting the lines in ip_conntrack does not do it? And what's the solution for a firewall with Webservers behind it then - to write my own firewall-rules? Greetings, Ralf
participants (5)
-
John Andersen
-
Josephine
-
peter.kanters@nl.abnamro.com
-
Philippe Vogel
-
Ralf Ronneburger