[CentOS] firewall dropping legitimate packets
alex at milivojevic.org
Sun Oct 22 04:25:41 UTC 2006
I'm experiencing strange problem with my CentOS 4.4 based firewall.
In short, it seems to drop packets during larger downloads (several MB
in size and larger). Most of the time, the connection itself doesn't
break, it is just halted for about a minute or so and that continues.
Rather annoying. The problem seems to exist only when downloading
content from particular servers.
The first rule in my firewall configuration accepts all packets in
-A FORWARD -m state --state ESTABLISHED -j ACCEPT
This is basically the only relevant rule.
I also have this rule to log dropped packets at the end of FORWARD chain:
-A FORWARD -j LOG --log-prefix "FORWARD "
Every time the download stalls, I see bunch of packets belonging to that
download logged as dropped.
If I set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1,
it seems to solve the problem. Being liberal on firewall machine
usually is not a good thing, so I'm not particularly happy with this
solution. Googling around I found this posting on Netfilter-devel list:
The replies suggest that the problem is known, and that it was solved in
"recent" versions of kernel (recent in this context is around September
2005). Looking at the changelog for kernel package, I don't see any
mention of this fix being backported to CentOS/RHEL 2.6.9 kernel. Or
maybe I was searching wrong keywords.
Anyhow, the main questions are, am I the only one (still) seeing this
problem? Does anybody remembers having similar problems, or does
anybody knows if above mentioned fix was ever backported into
CentOS/RHEL 2.6.9 kernel?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: OpenPGP digital signature
More information about the CentOS