Revisiting ip_conntrack: table full, dropping packet
Wed, 15 Aug 2001 09:04:19 +0800
> Surely your only solution is to increase the maximum? (BTW allocating
> by doing an echo 8912 > /proc/sys/net/ipv4/ip_conntrac_max allocates
> connections, not bytes)
Oh yes, connections. Correct me if I'm wrong, but isn't one connection
equal to one byte of real RAM?
> Is the firewall just for connections going from the inside out? coz for
> machines, 8192/105 = average 78 connections per machine!! this is a
> lot of
> connections - and any that aren't established get dropped first. I find
> this fairly hard to belive - given that most of the connections I see
> web, and these are fairly short lived (open, get page etc, close)
You wouldn't believe the number of connections indeed. As we SNAT a
whole dormitory, the average connection for a regular user is mostly
web/http related, however, there are SEVERAL connections such as ftp
downloads, peer-to-peer connections (Kazaa, AudioGalaxy, Napster,
Gnutella, ICQ, Hotline, etc...), and the like.
Our setup is currently this: we only allow outgoing 3128 and 1080
connections as we have proxies further up the stream to speed up network
transfers (our proxies have relatively fast connections).
> If you have the firewall from internal lan to internal lan and outside
> this may explain it. However if you are hitting the limit, then it's
> to go buy more RAM i'm affraid.
Hmm... Could you explain how this is so? Right now, we SNAT connections
to our campus LAN router which then reroutes us to the Internet. All
connections going out our box are only headed to the internal proxies
(http, socks) and nowhere else.
As far as RAM is concerned, well that isn't really problem as I can add
more eventually (probably go to 256MB or more), but I was hoping that
this wasn't the only solution. :)
Gino LV. Ledesma
Ateneo Cervini-Eliazo Networks (ACENT)
email : firstname.lastname@example.org
web : http://cersa.admu.edu.ph/
phone : (63)(2) 426-6001 ext. 5925/5904