Thursday, February 9, 2012

iptables be liberal cheatsheet

A while ago I posted about how Cisco firewalls can make certain packets' state look invalid to iptables which causes slow performance because packets would be dropped and had to be retransmitted. This was inspired by a much more interesting post on endpoint.com. Since then I've often had to relax the invalid checks on iptables by setting the following proc values on rhel5 or rhel6:
rhel5
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

rhel6:
/proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal

No comments: