Roman Ledovskiy wrote: > Hi, > > I have linux firewall in between internet and my network, diagram is > following: > > Upstream > | > Firewall server > | > my network > > "My network" hosts many different email/web servers. > > Firewall server is not a bridge, it has 2 interfaces (one to upstream, one > to internal network) > Not much kernel configuration, kernel is default kernel from Centos5 x64 > repo: 2.6.18-8.1.10.el5 > > On this server I get quite a lot of INVALID packets, about 0.07% of all and > I can't figure out why.. same thing here. most of the INVALID packets seem to have RST or FIN ACK set. So what I did, I increased the timeouts to setup a connection, and I increased the timeouts for connection closing. That helped a lot. echo "240" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait echo "60" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close echo "240" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait echo "60" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack regards, Olivier - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
