| 1 |
On Sunday 23 March 2008 03:16:16 Dan Cowsill wrote: |
| 2 |
> I |
| 3 |
> also understand that its maximum is something on the order of 65000 |
| 4 |
> simultaneous connections. |
| 5 |
|
| 6 |
That's a significant understatement. |
| 7 |
The default limit is based on how much RAM you have, and is set very |
| 8 |
conservatively. |
| 9 |
/proc/sys/net/ipv4/netfilter/ip_conntrack_max sets how many connections you |
| 10 |
can track. |
| 11 |
|
| 12 |
You should also |
| 13 |
drop /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established |
| 14 |
significantly. Connections can hang around for weeks, unless properly closed. |
| 15 |
|
| 16 |
On the production linux firewalls I maintain they were happily handling |
| 17 |
~50-60k connections until I dropped ip_conntrack_tcp_timeout_established to |
| 18 |
432000 seconds when the conntrack table dropped to ~30k. I could drop it a |
| 19 |
lot lower, but the machines cope with absolutely no issues. |
| 20 |
|
| 21 |
Personally, I'd drop ip_conntrack_tcp_timeout_established to about a day, or |
| 22 |
even less, as connections won't time out if traffic continues to pass. |
| 23 |
|
| 24 |
-- |
| 25 |
Mike Williams |
| 26 |
-- |
| 27 |
gentoo-user@l.g.o mailing list |
Archives