16 Sep
2015
16 Sep
'15
1:15 p.m.
On Wed, Sep 16, 2015 at 10:44 AM, Daniel Tryba <d.tryba(a)pocos.nl> wrote:
You should look at the OS level, the error is from the
kernel.
I know, but dmesg, syslog or kernel log don't say anything.
Are you runing out of sockets/files? It the connection
tracker full?
The connection tracking table is monitored and never close to full. How
could I check the sockets/files?
BTW you accept related and new state, this makes no
sense, you could just
as
well have no rules for the OUTPUT chain (which is much better for
perfomance).
I know. My old hand-written firewall was much smaller and almost stateless.
But according to our administrators policy all firewalls should be
generated by FWbuilder, which generates pretty ugly rules, and also
implicitly injects the related rule. (I'm not really happy with that.)
Sebastian