** Reply to message from Jeff Stillwall [EMAIL PROTECTED] on Thu, 19 Dec 2002
02:52:37 -0500
I have to thank everyone again for helping me with my IPTables question last
week...
This is sort of a 'second-part'. The firewall that I set up serves about
350 people. It gets pretty hammered.
On Thu, Dec 19, 2002 at 12:52:50AM -0800, Jack Bowling wrote:
** Reply to message from Jeff Stillwall [EMAIL PROTECTED] on
Thu, 19 Dec 2002 02:52:37 -0500
Is there anything I can or must do to optimize this box for routing
and firewall activities? Some kernel level connection table
On 12/19/02 3:52 AM, Jack Bowling [EMAIL PROTECTED] tapped the keys:
What is your ip conntrack limit?
cat /proc/sys/net/ipv4/ip_conntrack_max
should get you the value. My firewall (Firestarter) has this line:
# Doubling current limit for ip_conntrack
if [ -e
On 12/19/02 7:04 AM, Kevin MacNeil [EMAIL PROTECTED] tapped the
keys:
I use firestarter on my desktop machine, but many administrators don't
want to install gnome / x / etc. on a dedicated firewall or router box.
Yup - mine is console only.
The shorewall firewall (shorewall.sf.net) doesn't
On Thu, 19 Dec 2002, Jack Bowling wrote:
What is your ip conntrack limit?
cat /proc/sys/net/ipv4/ip_conntrack_max
The default is 8192 which is pretty low for your uses. There are some other
optimizations you can make. After you make any changes such as this, all you have to
do to
From: Jeff Stillwall [EMAIL PROTECTED]
There are some other optimizations you can make.
Where can I learn more about the whole /proc filesystem?
There's some starter info here:
http://www.redhat.com/docs/manuals/linux/
Assuming you're using RH 7.3 specifically:
On 12/19/02 11:29 AM, Jack Bowling [EMAIL PROTECTED] tapped the keys:
You could stick this in the /etc/sysctl.conf which is a RH-specific
config placeholder:
# Up the conntrack limit
net.ipv4.ip_conntrack_max = 16384
and then:
/sbin/sysctl -p
to read in the new config.
Done and
On 12/19/02 10:04 AM, Will Mc Donald [EMAIL PROTECTED] tapped the
keys:
From: Jeff Stillwall [EMAIL PROTECTED]
There are some other optimizations you can make.
Where can I learn more about the whole /proc filesystem?
There's some starter info here:
I have to thank everyone again for helping me with my IPTables question last
week...
This is sort of a 'second-part'. The firewall that I set up serves about
350 people. It gets pretty hammered. Twice, after approximately 20 days of
uptime, it has stopped serving users (forwarding packets) and