> Another thing I'm interested in is the total number of current
> connections. Does /proc/net/ip_conntrack provide this info? I've
> taken my iptables firewall offline, and I would expect
> /proc/net/ip_conntrack to show very few connections, but it seems to
> still have quite a bit of historical connections left in it.
/proc/net/ip_conntrack lists all the connections the firewall is
involved with and all traffic that flows through the firewall. If you've
got a lot of active sessions, you may need to filter down the number of
entries you are using. Active sessions always use the ESTABLISHED state
value, so you may just have a lot of CLOSE_WAIT's around. They may be
relevent if you have TOO many closed states. When I first applied the
tcp_window patches to netfilter, I saw thousands of close_waits.
Ex:
cat /proc/net/ip_conntrack | wc -l
598
cat /proc/net/ip_conntrack | grep ESTABLISHED | wc -l
362
cat /proc/net/ip_conntrack | grep ESTABLISHED | grep dport=25 | wc -l
7
cat /proc/net/ip_conntrack | grep ESTABLISHED | grep dport=80 | wc -l
211
