Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1031894: arno-iptables-firewall: Falling back to conntrack legacy automatic helper with kernel 6.0 and higher
91 views
Skip to first unread message
Sven Geuer
Feb 24, 2023, 2:10:04 PM2/24/23
to
Package: arno-iptables-firewall
Version: 2.1.1-6
Severity: normal
Tags: upstream
Control: forwarded -1 https://github.com/arno-iptables-firewall/aif/issues/88
Reasons seems to be this change to the kernel:
linux (5.19.11-1) unstable; urgency=medium
[...]
- netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to
y
[...]
In https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.7 I
found
commit 7d4bfe34b9cbb0395cb9508fa64324d4a1379e00
Author: Geert Uytterhoeven <ge...@linux-m68k.org>
Date: Mon Aug 15 12:39:20 2022 +0200
netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y
[ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ]
NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09
("netfilter: provide config option to disable ancient procfs parts") in
v3.3.
Excerpt from the logs of my personal machine:
[...]
Okt 30 09:49:12 e580sg systemd[1]: Starting Arno's Iptables
Firewall(AIF)...
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Arno's Iptables
Firewall(AIF) v2.1.1
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]:
-------------------------------------------------------------------------------
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Platform: Linux
5.19.0-2-amd64 x86_64
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Netfilter iptables
version: 1.8.8
Okt 30 09:49:12 e580sg firewall[2412]: ** Starting Arno's Iptables
Firewall(AIF) v2.1.1 **
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Checking/probing
Iptables modules:
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip_tables.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6_tables.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
nf_conntrack.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_conntrack.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_limit.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_state.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_multiport.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_filter.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6table_filter.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_mangle.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6table_mangle.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_raw.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6table_raw.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ipt_REJECT.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6t_REJECT.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_LOG.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_TCPMSS.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_nat.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
nf_nat.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ipt_MASQUERADE.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Module check done...
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the kernel
ring buffer to only log panic messages to the console
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Configuring general
kernel parameters:
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_helper = 0
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the max.
amount of simultaneous connections to 16384
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: net.nf_conntrack_max
= 16384
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_udp_timeout = 60
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_acct = 1
[...]
Okt 30 10:02:54 e580sg systemd[1]: Starting Arno's Iptables
Firewall(AIF)...
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Arno's Iptables
Firewall(AIF) v2.1.1
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
-------------------------------------------------------------------------------
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Platform: Linux
6.0.0-2-amd64 x86_64
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Netfilter iptables
version: 1.8.8
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Checking/probing
Iptables modules:
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip_tables.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6_tables.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
nf_conntrack.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_conntrack.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_limit.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_state.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_multiport.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_filter.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6table_filter.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_mangle.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6table_mangle.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_raw.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6table_raw.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ipt_REJECT.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6t_REJECT.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_LOG.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_TCPMSS.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_nat.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
nf_nat.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ipt_MASQUERADE.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Module check done...
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the kernel
ring buffer to only log panic messages to the console
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Configuring general
kernel parameters:
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Conntrack legacy
automatic helper assignment is ENABLED
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the max.
amount of simultaneous connections to 16384
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: net.nf_conntrack_max
= 16384
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
net.netfilter.nf_conntrack_udp_timeout = 60
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
net.netfilter.nf_conntrack_acct = 1
[...]
Output of "sysctl -a | grep conntrack":
net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_buckets = 262144
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_count = 52
net.netfilter.nf_conntrack_dccp_loose = 1
net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
net.netfilter.nf_conntrack_dccp_timeout_closing = 64
net.netfilter.nf_conntrack_dccp_timeout_open = 43200
net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
net.netfilter.nf_conntrack_dccp_timeout_request = 240
net.netfilter.nf_conntrack_dccp_timeout_respond = 480
net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
net.netfilter.nf_conntrack_events = 2
net.netfilter.nf_conntrack_expect_max = 4096
net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
net.netfilter.nf_conntrack_frag6_timeout = 60
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_gre_timeout = 30
net.netfilter.nf_conntrack_gre_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 16384
net.netfilter.nf_conntrack_sctp_timeout_closed = 10
net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
net.netfilter.nf_conntrack_sctp_timeout_established = 432000
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_ignore_invalid_rst = 0
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_timestamp = 0
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_udp_timeout_stream = 120
net.nf_conntrack_max = 16384
At least nf_conntrack_helper is missing.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages arno-iptables-firewall depends on:
ii debconf [debconf-2.0] 1.5.82
ii gawk 1:5.1.0-1
ii iproute2 6.1.0-1
ii iptables 1.8.9-2
ii kmod 30+20221128-1
ii procps 2:4.0.2-3
Versions of packages arno-iptables-firewall recommends:
ii bind9-dnsutils [dnsutils] 1:9.18.11-2
ii curl 7.87.0-2
ii dnsutils 1:9.18.11-2
ii rsyslog 8.2212.0-1
Versions of packages arno-iptables-firewall suggests:
pn rpcbind <none>
-- Configuration Files:
/etc/arno-iptables-firewall/custom-rules changed [not included]
-- debconf information excluded
Version: 2.1.1-6
Severity: normal
Tags: upstream
Control: forwarded -1 https://github.com/arno-iptables-firewall/aif/issues/88
Reasons seems to be this change to the kernel:
linux (5.19.11-1) unstable; urgency=medium
[...]
- netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to
y
[...]
In https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.7 I
found
commit 7d4bfe34b9cbb0395cb9508fa64324d4a1379e00
Author: Geert Uytterhoeven <ge...@linux-m68k.org>
Date: Mon Aug 15 12:39:20 2022 +0200
netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y
[ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ]
NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09
("netfilter: provide config option to disable ancient procfs parts") in
v3.3.
Excerpt from the logs of my personal machine:
[...]
Okt 30 09:49:12 e580sg systemd[1]: Starting Arno's Iptables
Firewall(AIF)...
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Arno's Iptables
Firewall(AIF) v2.1.1
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]:
-------------------------------------------------------------------------------
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Platform: Linux
5.19.0-2-amd64 x86_64
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Netfilter iptables
version: 1.8.8
Okt 30 09:49:12 e580sg firewall[2412]: ** Starting Arno's Iptables
Firewall(AIF) v2.1.1 **
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Checking/probing
Iptables modules:
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip_tables.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6_tables.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
nf_conntrack.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_conntrack.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_limit.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_state.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_multiport.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_filter.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6table_filter.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_mangle.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6table_mangle.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_raw.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6table_raw.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ipt_REJECT.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ip6t_REJECT.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_LOG.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
xt_TCPMSS.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
iptable_nat.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
nf_nat.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Loaded kernel module
ipt_MASQUERADE.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Module check done...
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the kernel
ring buffer to only log panic messages to the console
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Configuring general
kernel parameters:
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_helper = 0
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the max.
amount of simultaneous connections to 16384
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: net.nf_conntrack_max
= 16384
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_udp_timeout = 60
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:
net.netfilter.nf_conntrack_acct = 1
[...]
Okt 30 10:02:54 e580sg systemd[1]: Starting Arno's Iptables
Firewall(AIF)...
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Arno's Iptables
Firewall(AIF) v2.1.1
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
-------------------------------------------------------------------------------
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Platform: Linux
6.0.0-2-amd64 x86_64
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Netfilter iptables
version: 1.8.8
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Checking/probing
Iptables modules:
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip_tables.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6_tables.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
nf_conntrack.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_conntrack.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_limit.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_state.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_multiport.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_filter.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6table_filter.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_mangle.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6table_mangle.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_raw.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6table_raw.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ipt_REJECT.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ip6t_REJECT.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_LOG.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
xt_TCPMSS.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
iptable_nat.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
nf_nat.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Loaded kernel module
ipt_MASQUERADE.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Module check done...
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the kernel
ring buffer to only log panic messages to the console
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Configuring general
kernel parameters:
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Conntrack legacy
automatic helper assignment is ENABLED
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the max.
amount of simultaneous connections to 16384
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: net.nf_conntrack_max
= 16384
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
net.netfilter.nf_conntrack_udp_timeout = 60
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:
net.netfilter.nf_conntrack_acct = 1
[...]
Output of "sysctl -a | grep conntrack":
net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_buckets = 262144
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_count = 52
net.netfilter.nf_conntrack_dccp_loose = 1
net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
net.netfilter.nf_conntrack_dccp_timeout_closing = 64
net.netfilter.nf_conntrack_dccp_timeout_open = 43200
net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
net.netfilter.nf_conntrack_dccp_timeout_request = 240
net.netfilter.nf_conntrack_dccp_timeout_respond = 480
net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
net.netfilter.nf_conntrack_events = 2
net.netfilter.nf_conntrack_expect_max = 4096
net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
net.netfilter.nf_conntrack_frag6_timeout = 60
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_gre_timeout = 30
net.netfilter.nf_conntrack_gre_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 16384
net.netfilter.nf_conntrack_sctp_timeout_closed = 10
net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
net.netfilter.nf_conntrack_sctp_timeout_established = 432000
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_ignore_invalid_rst = 0
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_timestamp = 0
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_udp_timeout_stream = 120
net.nf_conntrack_max = 16384
At least nf_conntrack_helper is missing.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages arno-iptables-firewall depends on:
ii debconf [debconf-2.0] 1.5.82
ii gawk 1:5.1.0-1
ii iproute2 6.1.0-1
ii iptables 1.8.9-2
ii kmod 30+20221128-1
ii procps 2:4.0.2-3
Versions of packages arno-iptables-firewall recommends:
ii bind9-dnsutils [dnsutils] 1:9.18.11-2
ii curl 7.87.0-2
ii dnsutils 1:9.18.11-2
ii rsyslog 8.2212.0-1
Versions of packages arno-iptables-firewall suggests:
pn rpcbind <none>
-- Configuration Files:
/etc/arno-iptables-firewall/custom-rules changed [not included]
-- debconf information excluded
0 new messages