Hello All, I don't understand why the tracking is so memory hungy?
<SNIPPED FROM FAQ> If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...). You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory! <END OF SNIP> I understand from this statement that the amount of data needed is about 16Kbyte per connection, of which 350 bytes is non swappeble. This seems like an awfull lot of data for one TCP session. I do not know what is in all this data, but I think I would like the option to configure a "less secure" firewall with some mediocre memory requirements but still some state (e.g. Only include state on the IP numbers and port for the server in question and do not include the sequence numbers or perhaps only the IP number) Also the FAQ is not completely clear to me on the mentioned memory requirements, eg a system with 64Mb physical memory and 10Gb swap is capable of: a) 4096 connections = 64Mb/16k b) 655360 connections = 10Gb/16k c) 191739 connections = 64Mb/350 Best regards, Ruud Schramp P.S. Excuses if I should have sent this email to the users list, but it seemed that developers have better insight in the physical problems.
