ip_conntrack garbage

Yesterday I ran an nmap portscan on our internal network
from our Linux router/firewall (FC4 kernel 2.6.14-1.1653).

Today I was looking in /proc/net/ip_conntrack and see one
[UNREPLIED] entry for each unsuccessful probe (i.e. one per
internal unallocated IP address) in the table.

Aren't these supposed to go away after a while? They've been
in the conntrack table now for about 22 hours.

Is this a bug? If they don't go away, will my conntrack table
eventually fill up?

Can I change the timeout value or flush the conntrack table
to clean up the stale entries?

TIA

Jim Garrison
(E-Mail Removed)

On Tue, 27 Dec 2005 14:24:55 -0600, Jim Garrison <(E-Mail Removed)> wrote:

>Yesterday I ran an nmap portscan on our internal network
>from our Linux router/firewall (FC4 kernel 2.6.14-1.1653).
>
>Today I was looking in /proc/net/ip_conntrack and see one
>[UNREPLIED] entry for each unsuccessful probe (i.e. one per
>internal unallocated IP address) in the table.
>
>Aren't these supposed to go away after a while? They've been
>in the conntrack table now for about 22 hours.

That's okay, just over four days to go ;-)
>
>Is this a bug? If they don't go away, will my conntrack table
>eventually fill up?
No. Yes.
>
>Can I change the timeout value or flush the conntrack table
>to clean up the stale entries?

Why bother, the stale entries will be reused when required.

Grant.

Grant wrote:
>>Aren't these supposed to go away after a while? They've been
>>in the conntrack table now for about 22 hours.
>
> That's okay, just over four days to go ;-)

So [UNREPLIED] is considered equivalent to [ESTABLISHED]
and uses the ip_conntrack_tcp_timeout_established timer?

Just curious, but why isn't the syn_sent timeout (120 sec)
used?

"Jim Garrison" <(E-Mail Removed)> wrote in message
news:44qdnRnOHZQeNCzeRVn-(E-Mail Removed)...

> Grant wrote:

>>>Aren't these supposed to go away after a while? They've been
>>>in the conntrack table now for about 22 hours.

>> That's okay, just over four days to go ;-)

> So [UNREPLIED] is considered equivalent to [ESTABLISHED]
> and uses the ip_conntrack_tcp_timeout_established timer?

> Just curious, but why isn't the syn_sent timeout (120 sec)
> used?

It is totally reasonable for a reply to come more than 2 minutes after
the original packet.

DS

On Tue, 27 Dec 2005 14:52:16 -0600, Jim Garrison <(E-Mail Removed)> wrote:

>
>
>Grant wrote:
>>>Aren't these supposed to go away after a while? They've been
>>>in the conntrack table now for about 22 hours.
>>
>> That's okay, just over four days to go ;-)
>
>So [UNREPLIED] is considered equivalent to [ESTABLISHED]
>and uses the ip_conntrack_tcp_timeout_established timer?

Dunno, is the timeout field showing that? I suspect the entry
stays until the 'slot' is required, as this is event driven code.

No reply == nothing to clear the entry, been a while since I
watched conntrack in action.

Grant.

David Schwartz wrote:
> "Jim Garrison" <(E-Mail Removed)> wrote in message
> news:44qdnRnOHZQeNCzeRVn-(E-Mail Removed)...
>
>
>>Grant wrote:
>
>
>>>>Aren't these supposed to go away after a while? They've been
>>>>in the conntrack table now for about 22 hours.
>
>
>>>That's okay, just over four days to go ;-)
>
>
>>So [UNREPLIED] is considered equivalent to [ESTABLISHED]
>>and uses the ip_conntrack_tcp_timeout_established timer?
>
>
>>Just curious, but why isn't the syn_sent timeout (120 sec)
>>used?
>
>
> It is totally reasonable for a reply to come more than 2 minutes after
> the original packet.
>
> DS
>
>

FYI if it is important enough to you it can be changed in the kernel
source code. I'm unaware of a better solution.

I prefer 2 hours for unreplied established connections. This helps
against ACK attacks and the like. For most servers its no big deal, for
a firewall it might be.

The default is 5 days I believe. Near as I can tell you have to reboot
to clear it.

Scott R. Haven
Sr. Systems Engineer
Paisley Systems Inc.
www.paisleysystems.com

Jim Garrison wrote:
> Yesterday I ran an nmap portscan on our internal network
> from our Linux router/firewall (FC4 kernel 2.6.14-1.1653).
>
> Today I was looking in /proc/net/ip_conntrack and see one
> [UNREPLIED] entry for each unsuccessful probe (i.e. one per
> internal unallocated IP address) in the table.
>
> Aren't these supposed to go away after a while? They've been
> in the conntrack table now for about 22 hours.
>
> Is this a bug? If they don't go away, will my conntrack table
> eventually fill up?
>
> Can I change the timeout value or flush the conntrack table
> to clean up the stale entries?
>
> TIA
>
> Jim Garrison
> (E-Mail Removed)

Jim,

One more thing I forgot in my reply...

It may fill up, but probably not. You can adjust it in

/etc/sysctl.conf

net.ipv4.ip_conntrack_max =

Scott R. Haven
Sr. Systems Engineer
Paisley Systems Inc.
www.paisleysystems.com