Shaun T. Erickson wrote: > I have an RH9 system with three nics: 1 WAN & 2 LANs. One lan is > really locked down - the only thing allowed into it are responses to > traffic initiated frm that lan. > > The DNS server is on the other LAN. I'm seeing occaisional dns packets > being blocked from entering the locked down LAN. My assumption, > correct or not, is that these are slightly delayed packets that are > arriving after the state has been torn down, and they are thus > blocked. I see something like 30 or so of these every 8 hours or so. > > Is this something people see a lot? If so, what is the best way to dal > with it? If you're using a POM patched kernel, you could change the timeout values of: /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream These are measured in seconds. The actual reason for taking so long between responses is strange though. You can't really stop these packets from happening though. Another way to handle them is to not log the packets and feel comfortably numb. If you really want to be anal about it, you may want to ethereal the interface and analyze the packets that're generating the problem.
