> Unless you have a lot of traffic between the dmz and the internal > network, and assuming 100MB means 100Mbps, and that you have some Thomas, The internal network pulls backups from the DMZ. DMZ and Internal network are on a dual 1GB nic (Intel). That works fine since it's pretty much direct router. > Harald Welte gave a talk once about selecting hardware for netfilter > firewalls, the notes are available online, maybe it's helpful to you: We're not really seeing any hardware problems per say, but rather limitations to the number of active connections tracked through netfilter. We've bumped up the value, but as per the original email, I see recommendations that we should also increase the buckets for performance reasons. This is a problem as NF_CONNTRACK_BUCKETS is read only. So the question is should I just increase the NF_CONNTRACK_MAX to something like 1M since this is a dedicated machine, OR will I run into some other gotcha. Overall everything else runs pretty nicely and we're happy with the performance, we just don't want to lose connections because of a full conntrack. Gary
