jan ardosa wrote:> Hi to all. I have a shorewall ver 2.0.13 running in Fedora Core 3,
> the machine has dual cpu, 1gb of ram, and 40GB of hard disk space.
> The machine runs shorewall only and had tested it to openvpn but most
> of the time just shorewall.
>
> The problem, there were instances when internet traffic coming from
> the local network just halts, I needed to restart shorewall in order
> the traffic to flow again. Im considering a lot of factors, one maybe
> the interfaces. I have one external LAN card and other built-in (VIA
> lan controller) and Im suspecting one just cant handle the flow of
> data, im actually thinking of ways to prove this. Another factor
> maybe an already existing issue with this version of shorewall.
As you may know, Shorewall is simply setting up iptables for you. Once
it sets up iptables it exits. So, Shorewall itself will have a
difficult time being the source of your performance problems.
You don''t give an indication of the amount of traffic through your
firewall. But, I''m going to guess and say you may be running out of
ip_conntrack buckets.
You could try increasing ip_conntrack_max via sysctl. The value is held
in /proc/sys/net/ipv4/ip_conntrack_max.
Not sure if this is the correct way....but when the problem happens you
can try going to /proc/net and wc -l ip_conntrack to see how many open
connections are being tracked.
--
"A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools."
--Ford Prefect in "Mostly Harmless".