On Fri, 17 Dec 2004, Erik Kangas wrote: > We have found that it is the iptables connection state tracking modules > that casuse issues like this, due to issues with depth of queue, data > storage in the kernel, etc. If you have only iptables rules that do not > use connection state tracking, then you should be fine (though you may have > to restart the machine to fully switch from connection state tracking to > not, as once you start it, some kernel-level flags may get set that keep it > up when iptables are used).
You ought to be ok with connection tracking (which is required for things like incoming and outgoing FTP, unless everyone agrees on active/passive mode) as long as you have ACCEPT rules without the --syn qualifier before RedHat's default ESTABLISHED line. I.e., this is good: # /etc/sysconfig/iptables -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited And this can be bad under high load: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 993 --syn -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 995 --syn -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 --syn -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 143 --syn -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -- Rich Graves <[EMAIL PROTECTED]> UNet Systems Administrator