On Wed, Sep 16, 2015 at 10:44 AM, Daniel Tryba <d.tryba@pocos.nl> wrote:

You should look at the OS level, the error is from the kernel.

I know, but dmesg, syslog or kernel log don't say anything.

Are you runing out of sockets/files? It the connection tracker full?

The connection tracking table is monitored and never close to full. How could I check the sockets/files?

BTW you accept related and new state, this makes no sense, you could just as
well have no rules for the OUTPUT chain (which is much better for perfomance).

I know. My old hand-written firewall was much smaller and almost stateless. But according to our administrators policy all firewalls should be generated by FWbuilder, which generates pretty ugly rules, and also implicitly injects the related rule. (I'm not really happy with that.)

Sebastian