Re: conntrack vs. slow modem user

To: Dan Jacobson <jidanni@dman.ddts.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: conntrack vs. slow modem user
From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
Date: Tue, 9 Jul 2002 00:10:03 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.44.0207082358100.29575-100000@cicero.axis.se>
Reply-to: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
In-reply-to: <[🔎] 87lm8mlyn1.fsf@jidanni.org>

On 9 Jul 2002, Dan Jacobson wrote:

> [Just posted this to comp.security.firewalls when then I found out about
> debian-firewall]
>
> OK, thanks folks for pointing out the possibility that conntrack might
> be timing out especially over my overloaded 31K avg. modem.
> I suppose there is no way to adjust the timeout?

Yes, there is :)

> I also see Subject: iptables ip_conntrack bugs? (was: persistant connections?)
> in linux.debian.maint.firewall
> http://groups.google.com/groups?hl=zh-TW&lr=&ie=UTF-8&safe=off&frame=right&th=5fd3ce547f5f6918&seekm=Pine.LNX.4.40.0201201611120.3177-100000%40cicero.axis.se

And I seem to be the author of that article.

Another fellow asked me quite the same question today, and this i what
I answered:

On Mon, 8 Jul 2002, Cristian Ionescu-Idbohrn wrote:
>
> Date: Mon, 8 Jul 2002 20:58:28 +0200 (CEST)
> From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
> To: Peter Lieven <pl@dlh.net>
> Subject: Re: ip_conntrack trouble
>
> On Mon, 8 Jul 2002, Peter Lieven wrote:
>
> > hi christian,
> >
> > if found your old posting in the debian-firewall list about the
> > ip_conntrack timeout problems. as one of my monitoring systems runs
> > into the same problem, although it has 32k max allowed tracked
> > connections, i was wondering if you found a solution or fix for
> > this?
> > i'm running debian 3.0 with kernel 2.4.18.
>
> Hi Peter,
>
> Change the kernel source net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> and take down TCP_CONNTRACK_ESTABLISHED from '5 DAYS' to '2 HOURS'.
>
> After running since April with a modified kernel, I'm happy to
> confirm:
>
>   No problems, whatsoever ;-)
>
> And I'm glad to see a clean conntrack table (most of the time).
> TCP_CONNTRACK_ESTABLISHED could probably be lowered to 1 hour without
> problems.
>
> You can use the 'iptstate' package to check things out. I watched
> what's going on (kept an xterm with an opened ssh session untouched)
> and observed that:
>
> 1. when an ssh-connection is established, it gets the 2 hours TTL
> 2. TTL decreases, as expected
> 3. when the TTL reaches the 1.5 hours point, a new 2 hours TTL period
>    is assigned


Cheers,
Cristian


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: conntrack vs. slow modem user
  - From: Dan Jacobson <jidanni@dman.ddts.net>

References:
- conntrack vs. slow modem user
  - From: Dan Jacobson <jidanni@dman.ddts.net>

Prev by Date: conntrack vs. slow modem user
Next by Date: Re: conntrack vs. slow modem user
Previous by thread: conntrack vs. slow modem user
Next by thread: Re: conntrack vs. slow modem user
Index(es):
- Date
- Thread