Re: INVALID state and no known connection.
Hi Rolf. >> *The information about connections is stored in * *>> /proc/net/ip_conntrack. The maximum connections * *>> (...) in /proc/sys/net/ipv4/netfilter/ip_conntrack_max* I checked these values and it looks this way; # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max 55740 # cat /proc/net/ip_conntrack |wc -l 13 Should I change something to limit INVALID packets? Or it is normal? Best regards.
Re: INVALID state and no known connection.
Hi Reid Okay, no problem. So, everything is fine even with this INVALID entries in log files? 2013/4/11 Reid Sutherland > I don't think you need to remove the syslog tag, just know that when you > see that syslog entry, it's related to the rule that has the tag. > > > On 2013-04-10, at 11:34 AM, Daniel Curtis wrote: > > > Hi Mr Rolf > > > > Okay, I will check these values; /proc/net/ip_conntrack etc. > > Generally it is normal, that there are INVALID connections, right? > > > > Yes, I'm seeing this syslog tag. Should I remove it from my iptables > > script (e.g. -j LOG --log-prefix etc.)? > >
Re: INVALID state and no known connection.
Hi Mr Rolf Okay, I will check these values; /proc/net/ip_conntrack etc. Generally it is normal, that there are INVALID connections, right? Yes, I'm seeing this syslog tag. Should I remove it from my iptables script (e.g. -j LOG --log-prefix etc.)?
Re: INVALID state and no known connection.
This whole discussion seems off-topic to me, but I'll try to clear this up. Daniel, I believe you are seeing a syslog tag called '[INVALID in] ' or '[INVALID out] ', nothing more. See the LOG target in the iptables man page (eg, -j LOG --log-prefix '[INVALID in] '). On 2013-04-09, at 3:51 PM, Rolf Kutz wrote: > Hi Daniel, > > On 09/04/13 21:05 +0200, Daniel Curtis wrote: >> Hi andika. >> >> Another INVALID packet description. I read a lot of >> information and I don't know what is the truth. Frankly, >> the first time I see a description, which concerns RAM memory. >> >> So, I have a 1 GB of RAM memory. Just for example; free -m >> command result; >> used: 640, free: 230 >> >> and top command; >> 891896k total, 677284k used, 214612k free >> >> As we can see, system detected 870 MB instead 1 GB (1024 MB). >> So what is the relationship between INVALID packets and RAM >> memory? Honestly, I don't understand it. > > The infomation about connections is stored in > /proc/net/ip_conntrack. The maximum connections > being tracked are configured in > /proc/sys/net/ipv4/netfilter/ip_conntrack_max. > > If you have a lot of connections, you might want > to increase the values (f.e. if you use bittorrent > or similar protocols). Every connections beeing > tracked needs some RAM. > You could also check, if the connections timed > out and then increase the timeout values. > > HTH Rolf > > -- > Tres tristes tigres comen trigo en un trigal: un tigre, dos tigres, tres > tigres. > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20130409195137.gu26...@vzsze.de > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2214718b-f125-46f1-96ea-9d81c8f74...@vianet.ca
Re: INVALID state and no known connection.
Hi Daniel, On 09/04/13 21:05 +0200, Daniel Curtis wrote: Hi andika. Another INVALID packet description. I read a lot of information and I don't know what is the truth. Frankly, the first time I see a description, which concerns RAM memory. So, I have a 1 GB of RAM memory. Just for example; free -m command result; used: 640, free: 230 and top command; 891896k total, 677284k used, 214612k free As we can see, system detected 870 MB instead 1 GB (1024 MB). So what is the relationship between INVALID packets and RAM memory? Honestly, I don't understand it. The infomation about connections is stored in /proc/net/ip_conntrack. The maximum connections being tracked are configured in /proc/sys/net/ipv4/netfilter/ip_conntrack_max. If you have a lot of connections, you might want to increase the values (f.e. if you use bittorrent or similar protocols). Every connections beeing tracked needs some RAM. You could also check, if the connections timed out and then increase the timeout values. HTH Rolf -- Tres tristes tigres comen trigo en un trigal: un tigre, dos tigres, tres tigres. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130409195137.gu26...@vzsze.de
Re: INVALID state and no known connection.
Hi andika. Another INVALID packet description. I read a lot of information and I don't know what is the truth. Frankly, the first time I see a description, which concerns RAM memory. So, I have a 1 GB of RAM memory. Just for example; free -m command result; used: 640, free: 230 and top command; 891896k total, 677284k used, 214612k free As we can see, system detected 870 MB instead 1 GB (1024 MB). So what is the relationship between INVALID packets and RAM memory? Honestly, I don't understand it.
Re: INVALID state and no known connection.
On Tue, Apr 9, 2013 at 11:18 PM, Daniel Curtis wrote: > Hi > > As we know iptables INVALID state means, that > the packet is associated with no known connection, > right? So, if I have a lot of INVALID entries in my > log files, does it means, that something is wrong? > Hidden process etc.? > > Just to be sure "... INVALID meaning that the packet could not be identified for some reason which includes running out of memory" Enough free RAM in that box? -- andika
INVALID state and no known connection.
Hi As we know iptables INVALID state means, that the packet is associated with no known connection, right? So, if I have a lot of INVALID entries in my log files, does it means, that something is wrong? Hidden process etc.? An example of logged entries; t4 kernel: [18776.221378] [INVALID in] IN=eth0 OUT= MAC=mac_address SRC=173.194.70.189 DST=192.168.5.200 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=8371 PROTO=TCP SPT=443 DPT=45458 WINDOW=0 RES=0x00 RST URGP=0 t4 kernel: [18262.496058] [INVALID out] IN= OUT=eth0 SRC=192.168.5.200 DST=213.180.146.88 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18981 DF PROTO=TCP SPT=37190 DPT=80 WINDOW=16576 RES=0x00 ACK FIN URGP=0 For example, lsof -i -n -P command shows only ESTABLISHED connections; nothing strange, nothing more. Best regards.