public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Mike Williams <mike@gaima.co.uk>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Gentoo router: Conntrack table full
Date: Sun, 23 Mar 2008 13:42:54 +0000	[thread overview]
Message-ID: <200803231342.54970.mike@gaima.co.uk> (raw)
In-Reply-To: <4ef07b8c0803222016g7d3e05a6jf36b317ed1a73e69@mail.gmail.com>

On Sunday 23 March 2008 03:16:16 Dan Cowsill wrote:
>  I
> also understand that its maximum is something on the order of 65000
> simultaneous connections.

That's a significant understatement.
The default limit is based on how much RAM you have, and is set very 
conservatively.
/proc/sys/net/ipv4/netfilter/ip_conntrack_max sets how many connections you 
can track.

You should also 
drop /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established 
significantly. Connections can hang around for weeks, unless properly closed.

On the production linux firewalls I maintain they were happily handling 
~50-60k connections until I dropped ip_conntrack_tcp_timeout_established to 
432000 seconds when the conntrack table dropped to ~30k. I could drop it a 
lot lower, but the machines cope with absolutely no issues.

Personally, I'd drop ip_conntrack_tcp_timeout_established to about a day, or 
even less, as connections won't time out if traffic continues to pass.

-- 
Mike Williams
--
gentoo-user@lists.gentoo.org mailing list



  parent reply	other threads:[~2008-03-23 13:43 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-23  3:16 [gentoo-user] Gentoo router: Conntrack table full Dan Cowsill
2008-03-23  3:22 ` Andrey Falko
2008-03-23  3:26   ` Dan Cowsill
2008-03-23  9:23     ` Michal 'vorner' Vaner
2008-03-23 13:42 ` Mike Williams [this message]
2008-03-25  6:13   ` Adam Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200803231342.54970.mike@gaima.co.uk \
    --to=mike@gaima.co.uk \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox