Revisiting ip_conntrack: table full, dropping packet

Gino LV.Ledesma gino@cersa.admu.edu.ph
Wed, 15 Aug 2001 09:04:19 +0800 

> Surely your only solution is to increase the maximum?  (BTW allocating 
> 8192
> by doing an  echo 8912 > /proc/sys/net/ipv4/ip_conntrac_max allocates 
> 8192
> connections, not bytes)

Oh yes, connections. Correct me if I'm wrong, but isn't one connection 
equal to one byte of real RAM?

> Is the firewall just for connections going from the inside out? coz for 
> 105
> machines,  8192/105 = average 78 connections per machine!! this is a 
> lot of
> connections - and any that aren't established get dropped first.  I find
> this fairly hard to belive - given that most of the connections I see 
> are
> web, and these are fairly short lived (open, get page etc, close)

You wouldn't believe the number of connections indeed. As we SNAT a 
whole dormitory, the average connection for a regular user is mostly 
web/http related, however, there are SEVERAL connections such as ftp 
downloads, peer-to-peer connections (Kazaa, AudioGalaxy, Napster, 
Gnutella, ICQ, Hotline, etc...), and the like.

Our setup is currently this: we only allow outgoing 3128 and 1080 
connections as we have proxies further up the stream to speed up network 
transfers (our proxies have relatively fast connections).

> If you have the firewall from internal lan to internal lan and outside 
> then
> this may explain it.  However if you are hitting the limit, then it's 
> time
> to go buy more RAM i'm affraid.

Hmm... Could you explain how this is so? Right now, we SNAT connections 
to our campus LAN router which then reroutes us to the Internet. All 
connections going out our box are only headed to the internal proxies 
(http, socks) and nowhere else.

As far as RAM is concerned, well that isn't really problem as I can add 
more eventually (probably go to 256MB or more), but I was hoping that 
this wasn't the only solution. :)

--------------------------------------
Gino LV. Ledesma
Ateneo Cervini-Eliazo Networks (ACENT)
email  :  gino@technologist.com
web    :  http://cersa.admu.edu.ph/
phone  :  (63)(2) 426-6001 ext. 5925/5904