On 10/2/12 11:02 AM, "Johnson, SE" <sjohnson@edina.k12.mn.us>
wrote:
> We¹re having issues lately with dropped connections going through our
> shorewall firewall. They seem to be very random in that they can happen at
> almost any time. The sites the users are connecting to are port to port
> connection based connections (not necessarily web). This interface has
well
> over 2000 devices connecting to it.
>
> I¹ve seen a similar issue in the past on other firewalls where the
translation
> tables fill up and they are reused prematurely. I looked around a bit in
> shorewall and can¹t seem to find any configuration parameters for that.
Does
> anyone know how I could resolve this? Or perhaps if I¹m on the right
track?
The size of the connection tracking table is determined by the settings of
/proc/sys/net/nf_conntrack_max. Shorewall doesn''t implement a means for
setting that so you need to set it in /etc/sysctl.conf. When the table
overflows, there is a log message generated: "ip_conntrack: table full,
dropping packet".
-Tom
You do not need a parachute to skydive. You only need a parachute to skydive
twice.
------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev