Marcus Herou a écrit :
> Thanks! I think that did it. How do you know the actual size of that
> bastard parameter ?
you could ask your kernel:
sysctl net.nf_conntrack_max
(something like 65536)
>
> Just to be clear I have not enabled conntrack explicitly, comes
> enabled with the kernel I guess. Does not iptables need conntrack ?
iptables need conntrack when you use any NEW/RELATED/ESTABLISHED rule or
nat table for instance
> Anyway since you are the experts in this backyard what FW do you use
> to protect a LB ?
It depends of your needs, if you can cope with stateless firewalling
then iptables will do the job fine
otherwise then .. well a little bit of memory and upgraded
nf_conntrack_max and you're done.
>
> Kindly
>
> //Marcus
>
> On Mon, Sep 29, 2008 at 7:43 PM, Patrick Viet <patrick.viet#gmail.com
> <mailto:patrick.viet#gmail.com>> wrote:
>
> deactivate conntrack if you can.
> otherwise,
>
> sysctl -w net.nf_conntrack_max=400000
> should help
>
I think something like 524288 or any power of two is more recommended IIRC
>
> (and add net.nf_conntrack_max=400000 to /etc/sysctl.conf)
>
>
> Patrick
>
Received on 2008/09/29 22:03
This archive was generated by hypermail 2.2.0 : 2008/09/29 22:16 CEST