On Mon, Aug 13, 2007 at 10:43:28AM +0200, Jorijn Schrijvershof wrote: > Currently the > firewall is still in its default settings which is a limit of 10 new UDP > connections per second. This with a burst rate of 60.
UDP is a connectionless protocol, hence "10 new connections per second" doesn't make much sense. What I think you're saying is that you're allowing 10 new computers to send packets to you every second, on top of the computers that "regularly" send you packets. Most properly configured NTP clients will send a request every 1024 seconds, so if you've got the normal three or four requests per second you're going to be having between three and four thousand hosts "connected" to you at any one time. The timeout on the connection tracking may well be less than twenty minutes so it'll just set up this "connection" and tear it down without ever getting another packet through. The next time you receive a request from the same host it'll create a new "connection" for this old host. Your host will occasionally be named in the DNS round robin and your traffic will jump up an order of magnitude. So unless you want to track a hundred thousand or so "connections" you're probably better off disabling any connection tracking on NTP traffic. Sam _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
