[Firehol-support] Disable ip_conntrack table

Sim simvirus at gmail.com
Fri Dec 14 15:55:05 CET 2007


Hi!
I have this simple config with 2 ethernet.
There isn't NAT from eth0 to eth1 and from eth1 to eth0, or rules from
two ethernet, but my ip_conntrack show this:

# cat /proc/net/ip_conntrack | wc -l
18222


I'm afraid for future! Can I disable policy from two ethernet and use
my linux box as router without limits and with security only for
service over it?

Thanks!
Sim

################################################################
interface eth0 wan

        # The default policy is DROP. You can be more polite with REJECT.
        policy drop

        protection strong

        # Here are the services listening on bond0.
        server ping accept
        server "http" accept src "x.x.x.x."

        # The following means that this machine can REQUEST anything via bond0.
        client all accept


interface eth1 lan

        # The default policy is DROP. You can be more polite with REJECT.
        policy drop

        # > protection strong

        # Here are the services listening on bond1.
        server ping accept
        server http accept
        server "ssh" accept src "x.y.x.y"

        # The following means that this machine can REQUEST anything via bond1.
        client all accept

############################################################################################

router wan2lan inface eth0 outface eth1

        route all accept


router lan2wan inface eth1 outface eth0

        route all accept




More information about the Firehol-support mailing list