Ron Croonenberg wrote: > I found, after digging around for a good while, that changing these keys: > > net.ipv4.netfilter.ip_conntrack_udp_timeout=480 > net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=900 > > seems to work on FC6 (2.6.22.4-45.fc6). > > But: Do I both need them ? and what is the best "minimal" value for > those keys ? > > tia, > > Ron
you need both of them. they specify different things. The first is how long the firewall will permit inbound packets to be delivered after the last outbound packet between a given set of endpoints. The second is how long an idle port mapping will be maintained before it can be reused by a new client. Those values are fine. However, OpenAFS windows clients older than 1.5.17 probed up servers once every ten minutes and therefore a net.ipv4.netfilter.ip_conntrack_udp_timeout value of 780 will make your file servers much happier. You cannot set these values by port as you cannot guarantee what port numbers will be used by the client. The client will default to 7001 but for example, a client run in a VM behind a NAT will appear on a different port. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
