Hello All, I am curious to get other peoples thoughts about the 5 Day timeout for the following variable: TCP_CONNTRACK_ESTABLISHED. This value seems high for high traffic firewalls. For instance if I wanted to use netfilter for a firewall between my corporate network and my WAN, which has roughly 2300 nodes and 40000 users. It seems to me like you would run out of STATE memory and with most connection being TCP it would take 5 days before most of them would timeout. I realize I could modify the value and recompile... although it would be nice to be able to modify these with sysctl.conf or via the /proc filesystem.
Thanks, Preston
