On 09/02/2016 02:27 AM, André Paulsberg-Csibi (IBM Consultant) wrote:
In the meantime there is no real issues increasing you the connection table while you figure that out , and you can also GLOBALY fix the UDP timeouts if you so desire as most likely this can be lowered significantly from the defaults , here you can see one example from a smaller FW then yours ( but still applicable ) : zotac:~ # grep netfilter /etc/sysctl.conf net.netfilter.nf_conntrack_max = 10000 net.netfilter.nf_conntrack_tcp_timeout_established = 3600 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 40 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 40 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 40 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 40 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 40 net.netfilter.nf_conntrack_udp_timeout_stream = 60 net.netfilter.nf_conntrack_udp_timeout = 10
Global timeouts that short can cause other trouble though. See RFC4787 Section 4.3 and RFC5382 Section 5. Outside of reducing the timeout only for DNS, the best choice is probably just increasing the maximum number of conntrack entries (and buying more memory if necessary).
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
