Hi everyone, I hope this is an easy question for someone... I upgraded my memory to 1.3 GB and my ip_conntrack_max increased to 65536 (from 16,xxx). Does this seem sufficient for a 50+ network? I've noticed that ip_conntrack tends to 'hang onto' connections when the remote client terminates abrubtly. For example, an incoming ssh connection on which the ssh client is rebooted may stay in ip_conntrack for 15 minutes or more -- I'm watching this now and it's been 20 minutes. The ssh client machine got M$ blue-screen-o-death and my iptables firewall hasn't figured out that the connection is gone. My question(s) are: Is it normal for conntrack entries to hang around after the remote connection has terminated ungracefully? If so, should the state table be 'cleaned up' periodically (and how is this done)? And, what happens if/when the firewall exceeds the 65536 connection limit? Thanks to anyone who can enlighten me on this! Lori
