Hello Guys,
I got a firewall running kernel 2.4.20 with some p-o-m patches,
including tcp-window-tracking which allows me change timeout stuff in
runtime.
Well ...... my /proc/net/ip_conntrack log is PLENTY of CLOSE
connections, just like:
tcp 6 386819 CLOSE src=192.168.1.2 dst=200.220.254.156 sport=47617 dport=80
src=200.220.254.156 dst=200.241.238.254 sport=80 dport=47617 use=1
tcp 6 21172 CLOSE src=192.168.1.2 dst=200.208.28.191 sport=41786 dport=80
src=200.208.28.191 dst=200.241.238.254 sport=80 dport=41786 use=1
tcp 6 340817 CLOSE src=192.168.1.2 dst=216.136.226.78 sport=60094 dport=80
src=216.136.226.78 dst=200.241.238.254 sport=80 dport=60094 use=1
tcp 6 87811 CLOSE src=192.168.1.2 dst=200.208.28.224 sport=58142 dport=80
src=200.208.28.224 dst=200.241.238.254 sport=80 dport=58142 use=1
tcp 6 399392 CLOSE src=192.168.1.2 dst=200.220.254.156 sport=52780 dport=80
src=200.220.254.156 dst=200.241.238.254 sport=80 dport=52780 use=1
tcp 6 379271 CLOSE src=192.168.1.2 dst=64.191.34.195 sport=44823 dport=80
src=64.191.34.195 dst=200.241.238.254 sport=80 dport=44823 use=1
These entries seems to be NOT cleaned after timeout, which are:
[root@xxxxxxxx netfilter]# pwd
/proc/sys/net/ipv4/netfilter
[root@xxxxxxxx netfilter]# cat ip_conntrack_tcp_timeout_close
10
[root@xxxxxxxx netfilter]# cat ip_conntrack_tcp_timeout_close_wait
300
These timeout values are changed in the very beggining of script
firewall.
Seems to me that connections are not being erased because i got NO night
traffic and amount of connections seems to be stable ( please check MRTG
graph attached ).
And, the most strange at all, I got exactly same configuration ( kernel
version, kernel patchs, iptables 1.2.7a and firewall script ) running in
other machines that do NOT shows this problem ....
Have you ever seen something like this ? Any hint ? Any configuration
change ? Any idea ? :)
Sincerily and thanks for your replies,
Leonardo Rodrigues
Attachment:
conexoes-day.png
Description: PNG image
