| |
| |
| |
|
Comments:
<0> May 23 23:25:27 localhost kernel: ip_conntrack: table full, dropping packet.
<0> yow.
<0> that's where all my packets are going...
<0> can I increase the size of the table or something?
<0> danieldg: help? :)
<0> colliertech.org and friends are throwing my packets out the window
<0> I'm losing mail, traffic is being lost, etc, etc.
<0> show ruleset
<1> Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
<0> http://rafb.net/paste/results/TrUAWw99.html
<0> ah. rmmod'd it
<0> that should do it.
<0> life is so much happer now.
<2> Howdy all
<2> I have a debian firewall. In /etc/network/interfaces should the line read: gatewaydev=ppp0 _or_ gatewaydev ppp0 ?????
<3> maxine: conntrack full is echo a larger value into /proc/sys/net/ipv4/ip_conntrack_max or /proc/sys/net/netfilter/nf_conntrack_max
<1> OK, danieldg.
<3> Rug: there is no gatewaydev option that I know ov
<3> *of
<2> ack...
<2> But it works differently based on what value I use!
<2> =)
<0> thanks, danield
<2> I just did a man interfaces, and you are right. BUT I am confused.
<0> danieldg: is conntrack a memory hog?
<3> cj: about 400 bytes per entry, last I checked
<0> what is the limiting factor in its maximum value?
<0> aha. what's the default max?
<3> the max value is set to be some % of your RAM
<3> don't know the % that it uses though
<3> or even if it's a straight %
<0> alrighty. well, my dom0 shouldn't need to track connections in its current state anyway...
<0> I ***ume QoS uses conntrack?
<3> it doesn't have to
<3> NAT is the only thing that requires it iirc
<0> alrighty
<3> and of course state rules :)
<0> I don't need anything fancy like that yet...
<3> Rug: maybe something in /etc/network/if*.d looks at it?
<0> I'll probably end up doing some traffic shaping when I put my box in the other colo rack
<0> I made about 60 cents on ad revenues today.
<0> well, 52 cents
<4> hey room
<5> is there a way to have a linux router forward broadcast packets between the two segments its routing?
<3> maxine: not easily. Could you bridge them?
<1> danieldg: wish i knew
<3> majikman: could you bridge them?
<5> no... the two segments are located physically too far apart
<3> but there's one router connecting them?
<5> i have an oc3 between my two colo's with a router at each colo
<3> you can't specifically forward broadcast packets, no
<3> what would be the problem with setting up a bridge? the packets would just be forwarded; each network would still have its own default gateway, etc
<5> hrm... i didn't know u could bridge like that
<5> they have devices that can switch traffic over an oc3?
<3> it's kind of a hack though. You could have a daemon listen for packets, and send them on the other router
<5> oh... lol
<5> hrm.... nah... i don't need it that bad
<5> i have a way to workaround my application thats using broadcasting
<5> but thaks for your help anyways
<6> could someone take a look at this for me? im trying to get log n drop to work but since doing so its made teh firewall block everything? http://rafb.net/paste/results/cTUU1188.html
<7> johnross, what exactrly is that ur trying to do?
<7> block that particular URL>'
<7> ?
<6> no
<6> that url is my rc.firewall
<6> im just trying to use logndrop
<6> so instead of saying like
<6> $IPTABLES -A FrEtoR -j LOG
<6> $IPTABLES -A FrEtoR -j DROP
<6> jsut want to say $IPTABLES -A FrEtoR -j LOGnDROP
<7> johnross, hmmm.... It is not easy to tell unless we get the complete rules of the FrEtor table
<7> johnross, may be u could try... to
<8> Hi , how I know how many packet hit a rule ? I forgot the parameter ;/
<8> thanks
<7> acidfu, iptables -L
<7> acidfu, or if its any particular tables
<7> iptables -t nat -L -nv
<7> to see the nat table
<7> johnross, try
<8> oh -v
<8> thx
<7> iptales -I instead of A
<7> johnross, make sure that it hits the first rule
<6> hokie dokey
<7> acidfu, np
<9> good morning
<9> iptables 1.35 return this error Unknown arg: --todev
<9> sorry 1.3.5
<10> iptables --help
<11> does someone knows how to set ip_conntrack_buckets at start ? (on a non modular kernel)
<3> can't you just set it in /etc/sysctl.conf?
<11> danieldg: is it read early enough ?
<12> this is a dumb question but I can't find it in the man
<12> Chain INPUT (policy ACCEPT)
<12> how do I make that REJECT
<13> -P flag
<13> -P INPUT REJECT
<13> - bluefoxicy -
<12> AH
<14> ciel[busy]: Will only work for tcp connections then
<12> bluefox@ice-ldap:~$ sudo iptables -P INPUT REJECT
<12> iptables: Bad policy name
<14> udp and icmp will fall back to DROP
<14> Or it doesn't work at all, yeah maybe even that
<13> I just answer to a question
<13> it was about changing the policy
<13> :)
<13> so I think
<13> bluefoxicy => I don't know why it doesn't work
<12> it only takes drop
<12> not reject
<12> wtf.
<14> ciel[busy]: Because you can only use ACCEPT or DROP as default
<13> okay thanks :]
Return to
#iptables
or
Go to some related
logs:
#physics
#math
#mysql
how do you print a tree
#debian
nasm interrupt handler
truecrypt one-liner
vm.min_free_kbytes
#gaim
gentoo xf86_ENODEV
|
|