Makes sense. Your understanding is correct. We will look at moving the server into a directly routed subnet in the future. BTW, do you know what the limit is on connection tracking or where I can find/set the values. > > It would depend on your configuration. Oh you said NAT, DNAT I guess. > IIUC DNAT does depend on connection tracking. Perhaps you should put > your Apache reservation in a routed (not DNAT'ed) subnet. > > > I would assume no. But when I add a NOTRACK rule to the raw table > > Apache suddenly fails to serve the pages to external clients. > > Then your assumption would seem to be in error. > > > Am I doing something wrong? > > If it's not working, and you want it to work, yes. :) > -- > mail to this address is discarded unless "/dev/rob0" > or "not-spam" is in Subject: header