[Pool] Firewall recommendations for ntp server?

Kiss Gábor kissg at niif.hu
Fri May 8 07:31:42 UTC 2015


> of my eye, mostly < 2000).  Periodically, they will spike to well over 32768
> for minutes at a time.  The default conntrack limit (nf_conntrack_max) for
> 512MB was like 16384, and this was pretty easy to hit.  I've bumped it up to
> 32768 and decreased many timeouts, and there are still several times a day
> where this is reached.  The few times that I was able to tcpdump the
> interface when the connection count was high, I only saw NTP traffic,
> nothing looked like it was a DDOS or hacking (99% being NTP client/server
> packets), so my guess is that something got rebooted and maybe tons of
> devices are all hitting the box at once? Not sure, have been limited in that

iptables(8) writes:
   NOTRACK
       This target disables connection tracking for all packets
       matching that rule.
       It can only be used in the raw table.

What about this?

Cheers

Gabor


More information about the pool mailing list