On Tue, 2009-06-02 at 11:31 -0400, Chris wrote:
> On Tue, Jun 02, 2009 at 10:10:31AM -0400, Jason Pyeron wrote:
> > > We've got quite a few heavily loaded boxes (ISP shared
> > > servers) which have firewalls enabled. The firewalls
> > > basically allow certain ports, block some naughty IPs, and
> > > use limit and recent to keep some services under control.
> > >
> > > What we've noticed is that on rare occasions, a box will
> >
> > Can you make a test case? Does it happen on more than one machine?
>
> That's the tricky part. It happens maybe once or twice a month, and on
> different machines. I don't know of a way to reproduce it. Any
> pointers on information that would be useful to gather at the time it
> happens would be extremely useful, since at this point it is a mystery
> to me.
If you can actually see that you have a different active rulesets when
it "works" than when it doesn't work, then your problem most likely is
with the ruleset loading/creation process. I am not aware of any
component of netfilter that can change the ruleset by itself without
user space interaction. Of course various dynamic memory tables can get
exhausted (connection tracking, neighbor caches, routing cache etc), but
when this happens you usually get messages in your kernel log
that clearly say so.
How do you manage your ruleset? Check the logs of that solution....
Thomas
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
