On 9/21/06, Steph <stephanie.royle at lunarpages.com> wrote: > Hi, > > We have 7 Dell 2850 servers with dual xeon 3 gig processors running the APF > firewall version 0.9.6 http://rfxnetworks.com/apf.php > > They run fine for a day or two, then suddenly lock out all incoming > connections, other than the backend IP, sometimes restarting the firewall > resolves this, but occasionally we may have to leave it 10 mins or so before > restarting where it will actually allow connections again. > Hi Stephanie, I have had problems with apf, as noted in this thread about 5 months ago: http://lists.centos.org/pipermail/centos/2006-May/064517.html However, it would just lock out seemingly random connections for a fairly short period, vs. the 10 min you are seeing. I emailed rfxnetworks, but never heard back. :-( So, although I have recommended APF numerous times on this list, I would now recommend people probably consider another alternative. I am currently "rolling my own" iptables config... if people have a frontend package similar to apf (but without these various "lock out" concerns), I would love to hear any recommendations. One thing I did to find useful in troubleshooting the apf issues I had was to use tcpdump. I used a command such as: nohup tcpdump -p -i any -s 0 -w out_file.enc 'tcp[tcpflags] & tcp-syn != 0 and (port 80 or port 443)' & I was seeing multiple TCP SYN packets come in from the same client (with the same src/dest port numbers) and no response from my CentOS box. You can view the out_file.enc in something like Ethereal (now Wireshark). Because it only captures the SYN packets, you can leave this running without worrying about filling up your hard drive. Also, I should probably mentioned that I was working with a CentOS 3 box. Let me know if you learn anything else. Regards, Kennedy