search for: contrack

...assify the packets they still have the translated addresses. I could live with the translated addresses if I could use netfilter connection tracking information to classify the packets [4]. This was also discussed in the thread [3]: Jamal Hadi Salim writes: > [...] Instead the plan is to have a contrack related action. This > action will selectively either query/create contrack state on incoming packets. > Packets could then be redirected to dummy based on what happens -> eg > on incoming packets; if we find they are of known state we could send to > a different queue than one whic...

I''m havign a HUGE amount of difficulty getting shoreline to work with LVS. We use it here constantly so we know it works. The problem is packets come in, get directed to a webserver, webserver returns the packet to firewall, and then it goes into a black hole. rp_filter is off globally on all interfaces. LVS seems to be working right.... I use shorewall tcrules to mark packets on

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a situation where some Poptop/PPTP sessions (only with FC5/Shorewall to FC5/Shorewall firewall in between) cause the following to appear in the state table (shorewall show connections). unknown 47 420 src=XX.234.79.183 dst=XX.234.137.226 packets=2 bytes=130 [UNREPLIED] src=XX.234.137.226 dst=XX.234.79.183 packets=0 bytes=0 mark=0 use=1

Folks, Ive got two ISP connections that I am using with: --- ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 ip route add default via 192.168.200.1 table connection1 ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 ip route add default via x.175.244.1 table connection2 ip rule add from 192.168.200.11 table connection1 ip rule add from x.175.244.2

Hi. there is a way to MARK udp VOIP (SIP) traffic, in order to put in a highest prio class ? Traffic flow seems start on udp 5060 port, but next both server and client seems jump to a random(?) port. I can''t use CONNMARK because is udp traffic. I only see a pattern for L7 patch in order to SIP traffic identification , but I run 2.4 kernel series . When you patch 2.4 kernel with

Hi all, I manage somo interface in output. I know that i can send packet to the single interface using routing tables. I use IMQ to shape ingress traffic but why i would have to use IMQ on postrouting? When IMQ, on egress, give me advantages? and what are this advantages? Thanks Bye Simone -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Clicca qui:

Hi http://mailman.ds9a.nl/pipermail/lartc/2002q3/004977.html I have the same problem to discuss as in the above link. I want to allocate say X MBit per individual connection regardless of the number of connection . KIndly could anyonen suggest me how to proceed. I have tried with SFq but is doesnot yeild my requirement.. Thanks, Namitha. _______________________________________________ LARTC

...of "NEW" packets not marked as SYN which viewed as follows... NEW NOT SYN!: IN=ppp0 OUT= MAC= SRC=203.57.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=100 TOS=0x00 PREC=0x00 TTL=57 ID=42058 DF PROTO=TCP SPT=25 DPT=6699 WINDOW=58080 RES=0x00 ACK PSH URGP=0 I deduced from this that it was posible the contrack tables were overrun and the connection state being lost. I didn''t have focus to cat /proc/net/ip_conntrack >> to save the output.... Oh well... NEW NOT SYN makes sense as being related to an overrun of the conntrack, but the inbound blocking to dport 25 seems to me totally stran...

Hi, I have typical situation, local LAN with private addresses, translated via NAT to internet. I need to shape ingress traffic (from internet to local LAN) in several HTB queues accorting to destination (private not public) IP. So I need mark packets to divide them to corresponding queue. According to http://www.docum.org/stef.coene/qos/kptd/ I thing I have only one way how to do it, because

...is happening, routing slows to a crawl if at all. Then dies. I''ve added: # Added to stop "neighbor table overflow" messages in the kernel net.ipv4.neigh.default.gc_thresh1=512 net.ipv4.neigh.default.gc_thresh2=2048 net.ipv4.neigh.default.gc_thresh3=4096 # Added to increase IP contrack number (was getting to max) net.ipv4.ip_conntrack_max=99999 to sysctl.conf to increase the size, but this only seems to delay the problem. Any thoughts? Marco

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish