I'm experiencing strange problem with my CentOS 4.4 based firewall.In short, it seems to drop packets during larger downloads (several MB in size and larger). Most of the time, the connection itself doesn't break, it is just halted for about a minute or so and that continues. Rather annoying. The problem seems to exist only when downloading content from particular servers.
The first rule in my firewall configuration accepts all packets in ESTABLISHED state:
-A FORWARD -m state --state ESTABLISHED -j ACCEPT This is basically the only relevant rule. I also have this rule to log dropped packets at the end of FORWARD chain: -A FORWARD -j LOG --log-prefix "FORWARD "Every time the download stalls, I see bunch of packets belonging to that download logged as dropped.
If I set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1, it seems to solve the problem. Being liberal on firewall machine usually is not a good thing, so I'm not particularly happy with this solution. Googling around I found this posting on Netfilter-devel list:
http://www.opensubscriber.com/message/netfilter-devel@xxxxxxxxxxxxxxxxxxx/2176405.htmlThe replies suggest that the problem is known, and that it was solved in "recent" versions of kernel (recent in this context is around September 2005). Looking at the changelog for kernel package, I don't see any mention of this fix being backported to CentOS/RHEL 2.6.9 kernel. Or maybe I was searching wrong keywords.
Anyhow, the main questions are, am I the only one (still) seeing this problem? Does anybody remembers having similar problems, or does anybody knows if above mentioned fix was ever backported into CentOS/RHEL 2.6.9 kernel?
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos