On Tue, Dec 31, 2002 at 12:54:57PM -0800, Ranjeet Shetye wrote: > > There are ways in which pings (ICMP packets) can fill up conntrack > tables quickly. Are you running into problems with ICMP traffic only or > with any traffic ? e.g. look at /proc/net/ip_conntrack . Is it filled up > with ICMP traffic connections only ? If so, you might want to protect > your linux box from malformed ICMP packets, by DROPping all such packets > in the "filter" table. Don't arbitrarily drop all ICMP, bad idea, breaks a few things. Couldn't the 'full ip conntrack table' problem be solved by echo'ing a bigger number into /proc/sys/net/ipv4/ip_conntrack_max ? root@jimblewix:/proc/sys/net/ipv4; 23:48:19 0$ echo 32768 > ip_conntrack_max certainly changes it here. -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00236.pgp
Description: PGP signature
