Harry Lachanas wrote: > the kernel values for this case are ... > > from /proc/sys/net/ipv4/netfilter > > ip_conntrack_sctp_timeout_established:432000 > ip_conntrack_tcp_timeout_established:432000 > > which is 5 days .... > > > Isn't this a huge number ????
This has been a subject of occasional discussion over the years on the Netfilter development list. The problem is one of distinguishing dead connections from those that are simply idle. There was a promising change included in kernel 2.6.27 that attempts to do just that. People who tested the the change in a controlled environment reported that it reduced the number of dead entries by 80-90% ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
