Yes I have read the FAQ . I have 512 Mb of Ram and Hence the Maximum value of /proc/sys/net/ipv4/ip_conntrack_max must be 32768, which is what I have set already. But Even this value is not enough for the connection passing through the firewall. It gets maxed out with minutes If I increase the value what negative effect does it have??? Can I increase it to say 3276800 ???? Hope It doesnot crash my machine. On Wednesday 30 October 2002 22:44, Maciej Soltysiak wrote: > > Now I can see the lines "ip_conntrack : table full, dropping packet" in > > my kern.log. > > Yes, but have you read the FAQ ? :) Guess not. > You need to increase the /proc/net/ip_conntrack_max value, according to > the FAQ, it gives some reasonable values depending on the RAM you have. > > > Does dropping packets means that it is actually dropping the packets or > > just truncating the file /proc/net/ip_conntrack , does this affect my > > client's connections??? > > Well, it means that the state mechanism has no space to insert a > conntrack entry, meaning, that the --state ESTABLISHED,RELATED works only > to a limited number of currently tracked connections. > > Depending on your setup, it may do different things, but most probably it > does whatever your POLICY instructs them to do. DROP ? Most certainly. > > In other words, it means that the --state rule will not match on the > packet. It will not get accepted by this rule. > > Regards, > Maciej Soltysiak -- Best regards, Vicky Shrestha System Administrator WorldLink Communications Pvt.Ltd Jawalakhel, Kathmandu, Nepal.
