Filipe:
One of my servers stopped responding again.
This time, it was one of those which was not using
ESTABLISHED.
I am now convinced the problem is not in the firewall.
It must be somewhere in Apache, Tomcat, or my
application code (Most likely). I think I
was seeing the firewall logs after
Hi,
On Wed, Nov 12, 2008 at 12:44, Neil Aggarwal [EMAIL PROTECTED] wrote:
Sorry for the red herring.
No problem.
I am now convinced the problem is not in the firewall.
It must be somewhere in Apache, Tomcat, or my
application code (Most likely). I think I
was seeing the firewall logs
Filipe:
I changed the firewall rules on the server that had stopped
responding to not use ESTABLISHED.
Now, one of the servers that was still using ESTABLISHED
stopped responding.
I am seeing logs like this in the syslog:
OUTPUT IN= OUT=eth0 SRC=[myIP] DST=[otherIP] LEN=52 TOS=0x00 PREC=0x00
Hello:
I have a machine running CentOS 5 x86_64.
It is running apache httpd and tomcat.
For some reason, after running for a few days,
web requests stop responding. It happened again
this morning. I check the syslog and see a HUGE
number of logs like this:
OUTPUT IN= OUT=eth0 SRC=[MyIP]
Filipe:
Thanks for the information.
If I do:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
on each of my servers, they all report 65536 which
seems like a pretty high limit.
If I do:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
on each of my servers, the highest number is just over
Neil Aggarwal wrote on Thu, 6 Nov 2008 08:33:59 -0600:
/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p tcp --sport http --dport
1024: -m state --state ESTABLISHED -j ACCEPT
Why do you try to filter outbound connections at all? If something makes
it on your machine the first thing they will do
Why do you try to filter outbound connections at all? If something makes
it on your machine the first thing they will do is drop your rules.
You imply the *only* reason for outbound filtering is stop a hacker. In some
environments it serves as an additional layer of protection against other
Hi,
On Thu, Nov 6, 2008 at 10:42, Neil Aggarwal [EMAIL PROTECTED] wrote:
If this is the source of the problem, how would restarting
httpd and tomcat help? I did not restart the machine nor
reset iptables.
Because this might potentially close several connections and free
slots in the
8 matches
Mail list logo
