[CentOS] firewall dropping legitimate packets

Aleksandar Milivojevic alex at milivojevic.org
Sun Oct 22 04:25:41 UTC 2006


I'm experiencing strange problem with my CentOS 4.4 based firewall.

In short, it seems to drop packets during larger downloads (several MB 
in size and larger).  Most of the time, the connection itself doesn't 
break, it is just halted for about a minute or so and that continues. 
Rather annoying.  The problem seems to exist only when downloading 
content from particular servers.

The first rule in my firewall configuration accepts all packets in 
ESTABLISHED state:

-A FORWARD -m state --state ESTABLISHED -j ACCEPT

This is basically the only relevant rule.

I also have this rule to log dropped packets at the end of FORWARD chain:

-A FORWARD -j LOG --log-prefix "FORWARD "

Every time the download stalls, I see bunch of packets belonging to that 
download logged as dropped.

If I set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1, 
it seems to solve the problem.  Being liberal on firewall machine 
usually is not a good thing, so I'm not particularly happy with this 
solution.  Googling around I found this posting on Netfilter-devel list:

http://www.opensubscriber.com/message/netfilter-devel@lists.netfilter.org/2176405.html

The replies suggest that the problem is known, and that it was solved in 
"recent" versions of kernel (recent in this context is around September 
2005).  Looking at the changelog for kernel package, I don't see any 
mention of this fix being backported to CentOS/RHEL 2.6.9 kernel.  Or 
maybe I was searching wrong keywords.

Anyhow, the main questions are, am I the only one (still) seeing this 
problem?  Does anybody remembers having similar problems, or does 
anybody knows if above mentioned fix was ever backported into 
CentOS/RHEL 2.6.9 kernel?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20061021/8366c56c/attachment.sig>


More information about the CentOS mailing list