Re: conntrack vs. slow modem user
On 09 Jul 2002 08:53:18 +0800
Dan Jacobson <jidanni@dman.ddts.net> wrote:
> >> Change the kernel source net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> >> and take down TCP_CONNTRACK_ESTABLISHED from '5 DAYS' to '2 HOURS'.
> Ha ha "Change the kernel source". Did I tell you I am a junior user
> and mom specifically told me not to "change the kernel source".
>
> Anyway, I'm just curious. Why didn't they make it one of those
> echo 12345 > /proc/zzz/xxx/ccc/ adjustible things?
>
> By the way, I did iptables -F; iptables -X but my google connection
> problems continued until I hung up the phone. Could clearing the
> iptables not necessarily clear the conntrack problem, or does this
> show that my problems are just bandwidth to google over 56k?
>
> Maybe if i take the close only the problem areas approach to security
> i wont have so many problems.
>
> OK, i put my iptables on http://jidanni.org/test/0-jidanni-firewall
> It is causing me lots of http://jidanni.org/test/firewall-errors
> As well as only about 1 success for each 3 google clicks.
> I use http://jidanni.org/comp/system.txt
> --
> http://jidanni.org/ Taiwan(04)25854780
>
You could always make your system more aggresive by using:
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sysy/net/ipv4/tcp_keepalive_time
echo 180 > /proc/sys/net/ipv4/tcp_keepalive_intvl
That's the settings I use anyway, not that I have DUN though.
Do some research and read some of the kernel documentation located in the source:
/usr/src/linux/Documentation/networking/ip-sysctl.txt
You might want to try and find a google mirror near you :D
Stef
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: