On Tue, 2 Jun 2009, Xesc Arbona wrote: > > Olivier Sessink wrote: > >> Roman Ledovskiy wrote: > >> Hi, > >> > >> I have linux firewall in between internet and my network, diagram is > >> following: > >> > >> Upstream > >> | > >> Firewall server > >> | > >> my network > >> > >> "My network" hosts many different email/web servers. > >> > >> Firewall server is not a bridge, it has 2 interfaces (one to upstream, one > >> to internal network) > >> Not much kernel configuration, kernel is default kernel from Centos5 x64 > >> repo: 2.6.18-8.1.10.el5 > >> > >> On this server I get quite a lot of INVALID packets, about 0.07% of all and > >> I can't figure out why.. > > > > same thing here. most of the INVALID packets seem to have RST or FIN ACK > > set. So what I did, I increased the timeouts to setup a connection, and > > I increased the timeouts for connection closing. That helped a lot. > > I have a similar problem, but increasing the timeouts didn't help me. > Our situation is: > > We have several Windows backend webservers on an internal network, > connected to a Debian machine (kernel 2.6.18.dfsg.1-24) which has a > direct connection to Internet and acts as Reverse-Proxy. The kernel release 2.6.18 is pretty old and a lot of TCP connection tracking improvements has been added since then. I don't think that tweaking the timeout parameters would really help, the best would be to upgrade to a recent kernel. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
