On Fri, 11 Feb 2005 09:49:40 -0500, Kevin Van Workum <vanw@xxxxxxxx> wrote: > I'm having a problem with my firewall where packets are being dropped due > to the ip_conntrack limit. I could up the limit, but my users need 30k+ > connections simultaneously and with the minimum overhead. And I only have > 1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to > avoid dropped packets and reduce over head. How can I do this, and more > importantly, would it be helpful. You can use the NOTRACK target on the traffic that is causing the problem (which will disable using ip_conntrack on that traffic), or you can decompile conntrack altogether. The latter would basically make the firewall stateless. man iptables for more info on using NOTRACK. -- [ Tobias DiPasquale ] 0x636f6465736c696e67657240676d61696c2e636f6d
