-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, Correct me on this if I'm wrong: It is a feature of Netfilter that whenever conntrack is registered in kernel, then for example any UDP packet passing through the firewall causes the state table to be consulted basically resulting in either update of an old state entry if found or creation of a new state. Now if the description above holds we have a slight problem. At our site, connection tracking would be the nice way to handle the classic case of allowing responses to UDP requests initating from our internal network. The problem is that in the internal network there are several standalone (a.k.a. non-forwarding) caching nameservers sending about 100 dns queries per second through the firewall in the worst case. For us the default ip_conntrack_proto_udp.c timeout setting of 30 seconds for unreplied UDP requests and 180 seconds for assured streams could mean from 3 000 up to 18 000 state entries for these dns requests alone. This problem would be solved if it was possible with Netfilter/iptables to skip connection tracking for some rules (servers sending dns queries and replies to them in our case), or better yet, not to track every connection by default but only when requested per rule. Is this kind of selective connection tracking possible already or will it possibly become supported in future conntrack versions? Best regards, Ville - -- Mr. Ville Mattila, vm@xxxxxx, http://iki.fi/vm/ -----BEGIN PGP SIGNATURE----- iD8DBQE+1HuDtUJlHUfTfMERAlu1AJ9+s5bD2uwP47M7GZSuh2vx6fooLgCfYsir nIvIRSE8mdUbVgZ36cGrvEE= =4/r4 -----END PGP SIGNATURE-----