public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] Gentoo router: Conntrack table full
  @ 2008-03-23 13:42 99% ` Mike Williams
  0 siblings, 0 replies; 1+ results
From: Mike Williams @ 2008-03-23 13:42 UTC (permalink / raw
  To: gentoo-user

On Sunday 23 March 2008 03:16:16 Dan Cowsill wrote:
>  I
> also understand that its maximum is something on the order of 65000
> simultaneous connections.

That's a significant understatement.
The default limit is based on how much RAM you have, and is set very 
conservatively.
/proc/sys/net/ipv4/netfilter/ip_conntrack_max sets how many connections you 
can track.

You should also 
drop /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established 
significantly. Connections can hang around for weeks, unless properly closed.

On the production linux firewalls I maintain they were happily handling 
~50-60k connections until I dropped ip_conntrack_tcp_timeout_established to 
432000 seconds when the conntrack table dropped to ~30k. I could drop it a 
lot lower, but the machines cope with absolutely no issues.

Personally, I'd drop ip_conntrack_tcp_timeout_established to about a day, or 
even less, as connections won't time out if traffic continues to pass.

-- 
Mike Williams
--
gentoo-user@lists.gentoo.org mailing list



^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2008-03-23  3:16     [gentoo-user] Gentoo router: Conntrack table full Dan Cowsill
2008-03-23 13:42 99% ` Mike Williams

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox