Hi,
On Wed, Nov 12, 2008 at 12:44, Neil Aggarwal <[EMAIL PROTECTED]> wrote:
> Sorry for the red herring.
No problem.
> I am now convinced the problem is not in the firewall.
> It must be somewhere in Apache, Tomcat, or my
> application code (Most likely). I think I
> was seeing the firewall log
Filipe:
One of my servers stopped responding again.
This time, it was one of those which was not using
ESTABLISHED.
I am now convinced the problem is not in the firewall.
It must be somewhere in Apache, Tomcat, or my
application code (Most likely). I think I
was seeing the firewall logs after I
Filipe:
I changed the firewall rules on the server that had stopped
responding to not use ESTABLISHED.
Now, one of the servers that was still using ESTABLISHED
stopped responding.
I am seeing logs like this in the syslog:
OUTPUT IN= OUT=eth0 SRC=[myIP] DST=[otherIP] LEN=52 TOS=0x00 PREC=0x00
TT
Hi,
On Thu, Nov 6, 2008 at 10:42, Neil Aggarwal <[EMAIL PROTECTED]> wrote:
> If this is the source of the problem, how would restarting
> httpd and tomcat help? I did not restart the machine nor
> reset iptables.
Because this might potentially close several connections and free
slots in the conn
>Why do you try to filter outbound connections at all? If "something" makes
>it on your machine the first thing they will do is drop your rules.
You imply the *only* reason for outbound filtering is stop a hacker. In some
environments it serves as an additional layer of protection against other
Neil Aggarwal wrote on Thu, 6 Nov 2008 08:33:59 -0600:
> /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport http --dport
> 1024: -m state --state ESTABLISHED -j ACCEPT
Why do you try to filter outbound connections at all? If "something" makes
it on your machine the first thing they will
Filipe:
Thanks for the information.
If I do:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
on each of my servers, they all report 65536 which
seems like a pretty high limit.
If I do:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
on each of my servers, the highest number is just over
11
Hi,
On Thu, Nov 6, 2008 at 09:33, Neil Aggarwal <[EMAIL PROTECTED]> wrote:
> # Allow http connections from the outside world
> /sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p tcp --sport 1024: --dport
> http -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -
8 matches
Mail list logo
