On Sunday 23 March 2008 03:16:16 Dan Cowsill wrote: > I > also understand that its maximum is something on the order of 65000 > simultaneous connections.
That's a significant understatement. The default limit is based on how much RAM you have, and is set very conservatively. /proc/sys/net/ipv4/netfilter/ip_conntrack_max sets how many connections you can track. You should also drop /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established significantly. Connections can hang around for weeks, unless properly closed. On the production linux firewalls I maintain they were happily handling ~50-60k connections until I dropped ip_conntrack_tcp_timeout_established to 432000 seconds when the conntrack table dropped to ~30k. I could drop it a lot lower, but the machines cope with absolutely no issues. Personally, I'd drop ip_conntrack_tcp_timeout_established to about a day, or even less, as connections won't time out if traffic continues to pass. -- Mike Williams -- gentoo-user@lists.gentoo.org mailing list
