On Wednesday 09 April 2003 15:06, Cedric Blancher wrote: > Timers for Netfilter's conntrack should be the same as TCP stacks. So, > if conntrack times out, then destination TCP stack should time out too. > that means if a ACK gets so delayed that related conntrack entry gets > dropped, than it would be also dropped by destination TCP stack. Aaah... that might explain my problem with 'new, not syn'. Problem is that our firewall is a non-masquerading router for a class C subnet and that we don't have the ability to set the timeouts on all machines behind it. Isn't there a workaround to avoid this problem on the netfilter machine? -- Martijn
