** Reply to message from Jeff Stillwall <[EMAIL PROTECTED]> on Thu, 19 Dec 2002 02:52:37 -0500
> I have to thank everyone again for helping me with my IPTables question last > week... > > This is sort of a 'second-part'. The firewall that I set up serves about > 350 people. It gets pretty hammered. Twice, after approximately 20 days of > uptime, it has stopped serving users (forwarding packets) and a reboot gets > me back up and running. > > Is there anything I can or must do to optimize this box for routing and > firewall activities? Some kernel level connection table limits I'm hitting? > And can I adjust these values without having to recompile the kernel...doing > so on a production box scares me! What is your ip conntrack limit? cat /proc/sys/net/ipv4/ip_conntrack_max should get you the value. My firewall (Firestarter) has this line: # Doubling current limit for ip_conntrack if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max fi The default is 8192 which is pretty low for your uses. There are some other optimizations you can make. After you make any changes such as this, all you have to do to initiate the New Order is a: /sbin/service network restart No need for a system reboot. One recommendation I would make if you have the Gnome libraries loaded is to go to: http://firestarter.sourceforge.net and download the 0.8.x version for the Gnome 1.4 (I'm assuming you haven't moved up to Gnome2). Run the wizard and let it write the /etc/firewall.sh for you. Then study the firewall.sh script and see all the optimizations that are possible. Some are for boxes being used as a router vs. as a workstation, etc. Worth a gander. You can disable firestarter anytime by: /sbin/service firestarter stop /sbin/chkconfig firestarter off Hope this helps. jb jb -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
