I'm looking for some firewall tweaking advice. We have a dedicated
firewall which hit ran out of conntrack slots recently. We had already
tweaked the number max_conntracks to 131072. That box was an RHEL 4 box.
We are building a new firewall, based on 2.6.22. Reading some older
docs, they mention that if you can, set conntrack_buckets to the same as
conntack_max, if memory permits. This box has plenty 512mb. In the
sample reference doc, it says that you can do about 1048576 at a cost of
about 300mb of ram. This is fine.
Since this is a dedicated firewall box, with only ssh, cron, smartd and
sysstat running on it, what would you recommend the settings to be? And
what is the best way to set these (/etc/sysctl.conf)?
Playing around I found that I can set nf_conntrack_max to the value, but
when I set nf_conntrack_buckets to the same I get permission denied.
nf_conntrack_buckets is set to 4096, which if I read the documentation
correctly, would slow down the link list parsing as it would have to
refer to the conntrack list more often.
firewall which hit ran out of conntrack slots recently. We had already
tweaked the number max_conntracks to 131072. That box was an RHEL 4 box.
We are building a new firewall, based on 2.6.22. Reading some older
docs, they mention that if you can, set conntrack_buckets to the same as
conntack_max, if memory permits. This box has plenty 512mb. In the
sample reference doc, it says that you can do about 1048576 at a cost of
about 300mb of ram. This is fine.
Since this is a dedicated firewall box, with only ssh, cron, smartd and
sysstat running on it, what would you recommend the settings to be? And
what is the best way to set these (/etc/sysctl.conf)?
Playing around I found that I can set nf_conntrack_max to the value, but
when I set nf_conntrack_buckets to the same I get permission denied.
nf_conntrack_buckets is set to 4096, which if I read the documentation
correctly, would slow down the link list parsing as it would have to
refer to the conntrack list more often.