Hi all,
We are going to use iptables on our firewall box. I've been browsing the
mailing list archives and one particular thread has my interest. Its
regarding the connection tracking in iptables and that there appears to be
no way (yet?) of shutting it off per certain rules. Is this still the case
as of today?
If we do not include the ip_conntrack module into the kernel, does netfilter
basically NOT track connections and our filters just end up working like
ipchains?
Concern being that some of the posts of people having connections dropped
because they did not have enough ram to support the number of connections
they needed as found in /proc/sys/net/ipv4/ip_conntrack_max.
99% of our traffic will be HTTP to servers behind our firewall that support
15-25K visitors a day.
Our firewall box is a PIII 850, with 256Mb of ram. Does this sound like
enough?
We are going to use iptables on our firewall box. I've been browsing the
mailing list archives and one particular thread has my interest. Its
regarding the connection tracking in iptables and that there appears to be
no way (yet?) of shutting it off per certain rules. Is this still the case
as of today?
If we do not include the ip_conntrack module into the kernel, does netfilter
basically NOT track connections and our filters just end up working like
ipchains?
Concern being that some of the posts of people having connections dropped
because they did not have enough ram to support the number of connections
they needed as found in /proc/sys/net/ipv4/ip_conntrack_max.
99% of our traffic will be HTTP to servers behind our firewall that support
15-25K visitors a day.
Our firewall box is a PIII 850, with 256Mb of ram. Does this sound like
enough?