Andres Tarallo
2009-Feb-12 17:48 UTC
Getting ip_conntrack: table full, dropping packet on shorewall-lite
I have a bunch of servers, where I''ve deployed shorewall-lite. For us is very useful to have a centralized repository of the firewall rules deployed in our servers. One of this servers is pretty busy, handling lots of connections. In that server I''m getting from time to time this message: ip_conntrack: table full If I where working in a custom made iptables firewall I will handle that connections through the raw table, but on shorewall-lite I''m lost. I want to disable totally the connection tracking (not needed in this firewall) or handle some rules in a way that don''t use connection tracking. It''s this possible with shorewall-lite? I really like shorewall-lite, is great in our situation. Thanks for your help, apologize the poor English. Andrés Tarallo ------------------------------------------------------------------------------
Tom Eastep
2009-Feb-12 17:53 UTC
Re: Getting ip_conntrack: table full, dropping packet on shorewall-lite
Andres Tarallo wrote:> I have a bunch of servers, where I''ve deployed shorewall-lite. For us > is very useful to have a centralized repository of the firewall rules > deployed in our servers. One of this servers is pretty busy, handling > lots of connections. In that server I''m getting from time to time this > message: ip_conntrack: table full > > If I where working in a custom made iptables firewall I will handle > that connections through the raw table, but on shorewall-lite I''m > lost. I want to disable totally the connection tracking (not needed > in this firewall) or handle some rules in a way that don''t use > connection tracking. It''s this possible with shorewall-lite?Not unless you do it yourself using extensions scripts. Sorry. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Tom Eastep
2009-Feb-19 20:27 UTC
Re: Getting ip_conntrack: table full, dropping packet on shorewall-lite
Tom Eastep wrote:> Andres Tarallo wrote: >> I have a bunch of servers, where I''ve deployed shorewall-lite. For us >> is very useful to have a centralized repository of the firewall rules >> deployed in our servers. One of this servers is pretty busy, handling >> lots of connections. In that server I''m getting from time to time this >> message: ip_conntrack: table full >> >> If I where working in a custom made iptables firewall I will handle >> that connections through the raw table, but on shorewall-lite I''m >> lost. I want to disable totally the connection tracking (not needed >> in this firewall) or handle some rules in a way that don''t use >> connection tracking. It''s this possible with shorewall-lite? > > Not unless you do it yourself using extensions scripts. >Shorewall-perl 4.2.7 will support an /etc/shorewall/notrack file which will allow you to exempt certain traffic from connection tracking. The /etc/shorewall/routestopped file will also allow a notrack option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H