/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> ip_masq_new(proto=udp): no free ports
This means that your masq connection table has filled up with
connections. That means no more connections can be masqueraded until
some room gets freed up! This is bad. :)
When this happens (or, any time you please), run this command:
ipchains -M -L -n
This shows all the connections that are currently being masqueraded.
You will see the port numbers that are being serviced. This should give
you some idea of what your clients are doing that is filling up your
table. You will need to do something about it.
One thing that comes to mind is that DNS traffic can send a lot of
short-lived connection packets. If you see a lot of UDP port 53
connections being masqueraded, you can be sure that is the problem.
The best solution is to run a caching-only nameserver on your masq box,
and have all your internal clients use it, instead of the ISP's
nameserver. You will see a large reduction in masq'd UDP connections,
and probably faster DNS response due to caching on your local net.
If the traffic you see has some need to be there (GameSpy? I dunno..),
then your only real answer might be to reduce the UDP connection timeout
from its default of five minutes. But that might impact some other
protocols (ICQ?).
> I wonder if there is any parameter I can tune or this is memory size issue.
The masq code is hard-wired to use ports in the range 61000-65096. Once
you run out of them, the masq code can't re-use them without screwing up
existing connections. You could expand the port range yourself, but it
is not recommended. You can probably fix this more easily by finding
the problem protocol and working around it.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
http://www.dallas.net/~fox/ || -- Life Lessons
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
