On 27.10.2013 19:34, Phil Oester wrote: > If this is a problem for you, then increase nf_conntrack_tcp_timeout_established > to an insanely high value. You do realize, of course, that the conntrack > table has a finite number of entries. It'll delay the problem, but not fix it. Besides, it'll worsen the situtation that established timeout intended to fix - genuinely crashed connections will linger for said insane value. > Keepalives should be done in the application, not in the firewall. Why not, actually? It isn't strictly keep-alive in application sense, but rather a way that NAT may use to detect broken connections. It addresses breakage caused by NAT itself, while keep-alives issued by application will address other problems (like physical connection loss), if necessary. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
