Gary W. Smith escreveu:
I'm looking for some firewall tweaking advice. We have a dedicated firewall which hit ran out of conntrack slots recently. We had already tweaked the number max_conntracks to 131072. That box was an RHEL 4 box. We are building a new firewall, based on 2.6.22. Reading some older docs, they mention that if you can, set conntrack_buckets to the same as conntack_max, if memory permits. This box has plenty 512mb. In the sample reference doc, it says that you can do about 1048576 at a cost of about 300mb of ram. This is fine. Since this is a dedicated firewall box, with only ssh, cron, smartd and sysstat running on it, what would you recommend the settings to be? And what is the best way to set these (/etc/sysctl.conf)? Playing around I found that I can set nf_conntrack_max to the value, but when I set nf_conntrack_buckets to the same I get permission denied. nf_conntrack_buckets is set to 4096, which if I read the documentation correctly, would slow down the link list parsing as it would have to refer to the conntrack list more often.
You missed some important informations. How many machines are behind this firewall ? Are they client machines or are they servers ? Are we talking of lots of machines that generates low traffic of we're talking of some machines that generate LOTS of traffic ??
Please tell us about your network cenary. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@xxxxxxxxxxxxxx My SPAMTRAP, do not email it
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
