From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-user+bounces-77366-garchives=archives.gentoo.org@lists.gentoo.org>) id 1JdQTU-00067p-Ib for garchives@archives.gentoo.org; Sun, 23 Mar 2008 13:43:00 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6CD3CE06B5; Sun, 23 Mar 2008 13:42:58 +0000 (UTC) Received: from gimli.home.gaima.co.uk (251.67.2.81.in-addr.arpa [81.2.67.251]) by pigeon.gentoo.org (Postfix) with ESMTP id CFFD9E06B5 for <gentoo-user@lists.gentoo.org>; Sun, 23 Mar 2008 13:42:57 +0000 (UTC) Received: (qmail 8280 invoked from network); 23 Mar 2008 13:42:55 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 23 Mar 2008 13:42:55 -0000 From: Mike Williams <mike@gaima.co.uk> To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Gentoo router: Conntrack table full Date: Sun, 23 Mar 2008 13:42:54 +0000 User-Agent: KMail/1.9.7 References: <4ef07b8c0803222016g7d3e05a6jf36b317ed1a73e69@mail.gmail.com> In-Reply-To: <4ef07b8c0803222016g7d3e05a6jf36b317ed1a73e69@mail.gmail.com> Precedence: bulk List-Post: <mailto:gentoo-user@lists.gentoo.org> List-Help: <mailto:gentoo-user+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-user.gentoo.org> X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200803231342.54970.mike@gaima.co.uk> X-Archives-Salt: eefa3f49-7578-4864-bda6-bb4ea6c8febc X-Archives-Hash: 4e39111036e58154c00d3c7a23b79e7c On Sunday 23 March 2008 03:16:16 Dan Cowsill wrote: > =A0I > also understand that its maximum is something on the order of 65000 > simultaneous connections. That's a significant understatement. The default limit is based on how much RAM you have, and is set very=20 conservatively. /proc/sys/net/ipv4/netfilter/ip_conntrack_max sets how many connections you= =20 can track. You should also=20 drop /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established=20 significantly. Connections can hang around for weeks, unless properly close= d. On the production linux firewalls I maintain they were happily handling=20 ~50-60k connections until I dropped ip_conntrack_tcp_timeout_established to= =20 432000 seconds when the conntrack table dropped to ~30k. I could drop it a= =20 lot lower, but the machines cope with absolutely no issues. Personally, I'd drop ip_conntrack_tcp_timeout_established to about a day, o= r=20 even less, as connections won't time out if traffic continues to pass. =2D-=20 Mike Williams -- gentoo-user@lists.gentoo.org mailing list