Hi Slavko, On Tue, Oct 29, 2024 at 10:48 AM Slavko <linux@xxxxxxxxxx> wrote: > > Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal: > > >...but it is still dropping packets due to the CT. > > You have first to inspect what is filling your conntrack table: > > conntrack -L Ah.. Thanks for that hint! > > Then you have to decide, if you have to add more notrack rules, or > you are under eg. SYN flood or so... IMO you forget that DNS can > use TCP too (not mentioned in that article"s rules). Agreed. I added the TCP no track after sending the initial email. > Do not forget, that "lo" traffic can create (a lot of) conntrack entries > too. Sure. I'll look at the conntrack output. > >I'm running Linux 3.2.0-4-amd64 > > IMO quite old, AFAIK modern kernels can do better with SYN floods > (via better SYN cookies approach), if that is source of your problems. Agreed. It's on the docket to upgrade. Thanks for the helpful reply. Cheers! -m
