On Wed, Feb 02, 2005 at 06:32:33PM -0600, Darryl Gregorash wrote:
Darryl Gregorash wrote:
The following are specifically recommended in any iptables configuration:
iptables -A INPUT -p tcp !--syn -m state --state NEW -j DROP
which will dump any new connection that does not have the SYN bit set. (A stray ACK packet can establish a NEW connection, for some arcane reasons I do not claim to understand.)
iptables -A INPUT -m state --state INVALID -j DROP
I was poking around the Shorewall website, and came across this item:
"1. Recent 2.6 kernels include code that evaluates TCP packets based on TCP Window analysis. This can cause packets that were previously classified as NEW or ESTABLISHED to be classified as INVALID.
The new kernel code can be disabled by including this command in your /etc/shorewall/init file:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
The server held up for 11 days before starting to drop packets again. I've now gone back to a stateless firewall (ipchains style). Is a hashsize of about 128000 for the ip_conntrack database too low for a webserver handling about 100 hits/sec? -- Erik Hensema (erik@hensema.net)