Moritz, thanks for pointing that out. Your suggested 10 minutes seems a bit short, though..
If we keep, say, a browser connection open longer than those 10m, it's supposed to either use keepalive, or an established session will simply be setup for another 10m, right?
hm... depends on a few factors.
a normal browser session should be closed after GET has delivered all data, there is no need to keep the connection established.
e.g. online-banking should use keepalive not only for this purpose.
and it depends on your other firewall settings (syn flag etc).
i got 500 clients, nobody claimed any troubles so far.
Won't that create some additional load for a busy server, i.e. something else that this thought-of browser session?
hm... there may exist some application, which need this, but i never saw one.
To the maintainer of ip_conntrack_proto_tcp.c (Paul Russell?): Wouldn't it be fair to change TCP_CONNTRACK_ESTABLISHED permanently?
the question is, what would be a good value? everyone can change this value in a easy way.
