On 3/12/12 3:13 PM, "Ziegler Karel" <ziegleka@gmail.com> wrote:> > Hi all, > > I want to ask how to set up in the right way nf_conntrack_max with > shorewall on CentOS 6? > > If I use CentOS firewall (iptables) nf_conntrack_max is set to the value from > /etc/sysctl.conf file. But with shorewall not, should I use > /etc/shorewall/start?That should work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car www.shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
Hi Tom, did you mean, that should it work generally or should I use something like this: # echo "sysctl -w net.nf_conntrack_max=131072" >> /etc/shorewall/start? Karel Ziegler e-mail: ziegleka@gmail.com <mailto:ziegleka@gmail.com> On 13.3.2012 00:28, Tom Eastep wrote:> On 3/12/12 3:13 PM, "Ziegler Karel" <ziegleka@gmail.com > <mailto:ziegleka@gmail.com>> wrote: > > Hi all, > > I want to ask how to set up in the right way nf_conntrack_max > with shorewall on CentOS 6? > > If I use CentOS firewall (iptables) nf_conntrack_max is set to the > value from /etc/sysctl.conf file. But with shorewall not, should I > use /etc/shorewall/start? > > > That should work. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > www.shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Tue, 13 Mar 2012 07:36:08 +0100 Ziegler Karel <ziegleka@gmail.com> wrote:> Hi Tom, > > did you mean, that should it work generally or should I use > something like this: # echo "sysctl -w net.nf_conntrack_max=131072" >> > /etc/shorewall/start?Using /etc/sysctl.conf should work for shorewall too. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/12/2012 11:57 PM, Tuomo Soini wrote:> On Tue, 13 Mar 2012 07:36:08 +0100 > Ziegler Karel <ziegleka@gmail.com> wrote: > >> Hi Tom, >> >> did you mean, that should it work generally or should I use >> something like this: # echo "sysctl -w net.nf_conntrack_max=131072" >> >> /etc/shorewall/start? > > Using /etc/sysctl.conf should work for shorewall too. >But I have confirmed that it doesn''t. Adding this to /etc/shorewall/init seems to do the job: /sbin/sysctl -e -p /etc/sysctl.conf -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Tue, 13 Mar 2012 07:27:14 -0700 Tom Eastep <teastep@shorewall.net> wrote:> >> did you mean, that should it work generally or should I use > >> something like this: # echo "sysctl -w > >> net.nf_conntrack_max=131072" >> /etc/shorewall/start? > > > > Using /etc/sysctl.conf should work for shorewall too. > > > > But I have confirmed that it doesn''t. > > Adding this to /etc/shorewall/init seems to do the job: > > /sbin/sysctl -e -p /etc/sysctl.confI also verified that this _does_ work: net.netfilter.nf_conntrack_max = 32768 but my system does run shorewall-init. I guess running it for shorewall does change things. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/13/2012 09:06 AM, Tuomo Soini wrote:> On Tue, 13 Mar 2012 07:27:14 -0700 > Tom Eastep <teastep@shorewall.net> wrote: > >>>> did you mean, that should it work generally or should I use >>>> something like this: # echo "sysctl -w >>>> net.nf_conntrack_max=131072" >> /etc/shorewall/start? >>> >>> Using /etc/sysctl.conf should work for shorewall too. >>> >> >> But I have confirmed that it doesn''t. >> >> Adding this to /etc/shorewall/init seems to do the job: >> >> /sbin/sysctl -e -p /etc/sysctl.conf > > I also verified that this _does_ work: > > net.netfilter.nf_conntrack_max = 32768 > > but my system does run shorewall-init. I guess running it for shorewall > does change things.I suspect that you use /etc/init.d/network rather than NetworkManager? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Tue, 13 Mar 2012 09:15:40 -0700 Tom Eastep <teastep@shorewall.net> wrote:> I suspect that you use /etc/init.d/network rather than NetworkManager?Of course I don''t use NetworkManager on servers. I disabled shorewall-init and rebooted and sysctl.conf value for net.netfilter.nf_conntrack_max was not updated. So just like I suspected: running shorewall-init causes conntrack to load early enough for sysctl. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
I don''t use NetworkManager. What is shorewall-init? The problem is that shorewall load kernel modules after /etc/rc.d/rc.sysinit and during start does not reapply sysctl.conf. -- Karel Ziegler e-mail: ziegleka@gmail.com On Tue, Mar 13, 2012 at 5:15 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 03/13/2012 09:06 AM, Tuomo Soini wrote: > > On Tue, 13 Mar 2012 07:27:14 -0700 > > Tom Eastep <teastep@shorewall.net> wrote: > > > >>>> did you mean, that should it work generally or should I use > >>>> something like this: # echo "sysctl -w > >>>> net.nf_conntrack_max=131072" >> /etc/shorewall/start? > >>> > >>> Using /etc/sysctl.conf should work for shorewall too. > >>> > >> > >> But I have confirmed that it doesn''t. > >> > >> Adding this to /etc/shorewall/init seems to do the job: > >> > >> /sbin/sysctl -e -p /etc/sysctl.conf > > > > I also verified that this _does_ work: > > > > net.netfilter.nf_conntrack_max = 32768 > > > > but my system does run shorewall-init. I guess running it for shorewall > > does change things. > > I suspect that you use /etc/init.d/network rather than NetworkManager? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d