Hi Steven, > To see how many you are using at a given moment > > # wc -l /proc/net/ip_conntrack > 16 /proc/net/ip_conntrack I checked the conntrack table. I setup a cron job to look at it every minute, for 24 hours. You'll be surprised: the top number, around peak time, is: 255 /proc/net/ip_conntrack So, it can't be the limit on the conntrack table. I've found another clue though. When I first configured this firewall, I enabled rp_filter, with the command below: echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter And I've found this text on the Internet about it: "If instead you decide to enable forwarding, you will also be able to modify the rp_filter setting; something which is often misunderstood by network administrators. The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing. Turning this on, however, has its consequences: If your host has several IP addresses on different interfaces, or if your single interface has multiple IP addresses on it, you'll find that your kernel may end up rejecting valid traffic. It's also important to note that even if you do not enable the rp_filter, protection against broadcast spoofing is always on. Also, the protection it provides is only against spoofed internal addresses; external addresses can still be spoofed.. By default, it is disabled." And that's what's been happening: The firewall has been rejecting a few valid packets. I'll disable it and see what happens, and then I'll let you know. By the way, do you keep rp_filter enabled or disabled?
