@starchy@infosec.exchange
@starchy@infosec.exchange avatar

starchy

@[email protected]

Hear what the critics are saying: "O.k., I guess," "I don't get it, this is just some guy's Mastodon account," "It's evidence!"

Techops @eff. Also dumb music, bad ideas, the yoozh, etc. My toots are your own.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

jerry, to random
@jerry@infosec.exchange avatar

I also ran into a really odd iptables problem... when I meshed in the second app server node using wireguard, my egress filter rule was blocking outbound traffic on both hosts. After some fiddling, out of frustration, I flushed the rules out of iptables on both hosts - so no rules. And... iptables was still blocking the outbound traffic. I ended up having to reboot each host - and once I did that, things worked ok. Has anyone seen iptables go into zombie mode before?

starchy,
@starchy@infosec.exchange avatar

@jerry did you maybe hit a netfilter conntrack limit? That’s bit me before when ramping up traffic

starchy,
@starchy@infosec.exchange avatar

@jerry iirc bumping the limit hilariously high (into the billions)

starchy,
@starchy@infosec.exchange avatar

@jerry Just getting back to this now. Mind you this was on a less recent Debian version, so ymmv, but I had the line

net.netfilter.nf_conntrack_max = 4000000

in /etc/sysctl.d/netfilter.conf. You can also echo the value to /proc/net/netfilter/nf_conntrack_max if you want to set it without a reboot.

If the values of /proc/net/netfilter/nf_conntrack_count and /proc/net/netfilter/nf_conntrack_max are ever equal, you're in trouble for sure.

Also note this will be under /proc/net/ipv4 or /proc/net/ipv6 on some distros.

jerry, to random
@jerry@infosec.exchange avatar

First dose of paxlovid down. At least I probably won’t die now.

starchy,
@starchy@infosec.exchange avatar

@jerry 🎉​

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • KamenRider
  • Ask_kbincafe
  • TheResearchGuardian
  • KbinCafe
  • Socialism
  • oklahoma
  • SuperSentai
  • feritale
  • All magazines
    •