DNS errors caused by nf_conntrack

Andrew McNabb amcnabb at mcnabbs.org
Thu Mar 26 17:27:16 MDT 2009

On Wed, Mar 25, 2009 at 12:54:03PM -0600, Andrew McNabb wrote:
> I've tried increasing /proc/sys/net/nf_conntrack_max, and I'll see if
> that helps, but the real question is why nf_conntrack is being used at
> all on a machine that isn't a firewall.  If it helps, this is a Fedora
> 10 machine.  I'm curious whether anyone has seen something like this
> before.

I found that the "nf_nat" and "iptable_nat" kernel modules were loaded.
I'm really confused how these got loaded in the first place, since the
"iptables" and "ip6tables" are disabled in chkconfig.  Now that the
modules are unloaded, the packet dropping seems to have stopped.  It's
kind of scary to lose packets randomly.

Andrew McNabb
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868

More information about the PLUG mailing list