Re: [leaf-user] RE: Bering "ip_conntrack_max" on a 21Port, heavyloaded router

Thu, 16 Jan 2003 14:46:51 -0800 

On Fri, 2003-01-17 at 05:50, Sandro Minola wrote:
> > What does the value 32768 mean? Max. size of the conntrack table
> > in bytes? Max. # of entries in the table?
> I just found out that this value means the number (#) of connections. And
> it's currently not set to 32768 (as I misleadingly wrote), it's set to
> 32760.
> http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html says
> that this is the default value for a 512MB RAM machine.
> So it seems that my router can handle 32760 simultaneous connections. Do you
> think this is enough for 200 clients and 20 servers?

At a guess, and only a guess, I don't think you will have problems. You
can increase the limit by -
echo 99999 >/proc/sys/net/ipv4/ip_conntrack_max

Change 99999 to what ever you think you need by remember that each
connection uses about 350 bytes of memory so 99999*350 is about 35MB but
with 512MB to play with I don't think it will be a problem :-))

If you have concerns then you may want to run a script file that
monitors the number of connections and reports to you by email.

Add a file with -
date -R >>/tmp/connections
cat /proc/net/ip_conntrack | wc -l >>/tmp/connections


and get cron to run this every 5 minutes or so and then each hour, 6
hours or what ever you want run the following by cron -
cat /tmp/connections | mail -s "Connections report" [EMAIL PROTECTED]
rm -f /tmp/connections



This should produce an email something like-
Fri Jan 17 11:23:18 NZDT 2003
     31
Fri Jan 17 11:23:42 NZDT 2003
     36

With this you can track the load during the day to see what your peak
connections are and also the time of day it happens.

Run it for a week or so to see how your system is going.

If you want to take it a step further then you could create a script
that only emails an alert or warning if the number of connections get
above a certain amount. 

-- 
Lyndsay Roger <[EMAIL PROTECTED]>



-------------------------------------------------------
This SF.NET email is sponsored by: Thawte.com
Understand how to protect your customers personal information by implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache 
Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to