shorewall show connections shows 2-3000 stale connections on my firewall, most have this form tcp 6 340940 ESTABLISHED src=192.168.182.7 dst=64.4.61.249 sport=1341 dport=80 packets=17 bytes=15182 [UNREPLIED] src=64.4.61.249 dst=192.168.182.7 sport=80 dpo rt=1341 packets=0 bytes=0 mark=0 secmark=0 use=1 From what I understand the 340940 is the timeout value, the kernel values for this case are ... from /proc/sys/net/ipv4/netfilter ip_conntrack_sctp_timeout_established:432000 ip_conntrack_tcp_timeout_established:432000 which is 5 days .... Isn''t this a huge number ???? Regards Harry. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Harry Lachanas wrote:> the kernel values for this case are ... > > from /proc/sys/net/ipv4/netfilter > > ip_conntrack_sctp_timeout_established:432000 > ip_conntrack_tcp_timeout_established:432000 > > which is 5 days .... > > > Isn''t this a huge number ????This has been a subject of occasional discussion over the years on the Netfilter development list. The problem is one of distinguishing dead connections from those that are simply idle. There was a promising change included in kernel 2.6.27 that attempts to do just that. People who tested the the change in a controlled environment reported that it reduced the number of dead entries by 80-90% ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword