El vie, 11-02-2005 a las 09:55 -0500, Tobias DiPasquale escribiÃ: > On Fri, 11 Feb 2005 09:49:40 -0500, Kevin Van Workum <vanw@xxxxxxxx> wrote: > > I'm having a problem with my firewall where packets are being dropped due > > to the ip_conntrack limit. I could up the limit, but my users need 30k+ > > connections simultaneously and with the minimum overhead. And I only have > > 1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to > > avoid dropped packets and reduce over head. How can I do this, and more > > importantly, would it be helpful. > > You can use the NOTRACK target on the traffic that is causing the > problem (which will disable using ip_conntrack on that traffic), or > you can decompile conntrack altogether. The latter would basically > make the firewall stateless. man iptables for more info on using > NOTRACK. > I just wanted to note that changing from CONNTRACK enabled rules to stateless rules implies changing all your rules and scripts. Maybe just limiting with NOTRACK the problematic protocols can be enough to solve the problem. And surely more computing power will be useful (CPU and RAM). Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
