ip_conntrack_max

ip_conntrack_max

[homsher]

Hi everyone,

I hope this is an easy question for someone...

I upgraded my memory to 1.3 GB and my ip_conntrack_max increased to 65536 (from 16,xxx). Does this seem sufficient for a 50+ network? I've noticed that ip_conntrack tends to 'hang onto' connections when the remote client terminates abrubtly. For example, an incoming ssh connection on which the ssh client is rebooted may stay in ip_conntrack for 15 minutes or more -- I'm watching this now and it's been 20 minutes. The ssh client machine got M$ blue-screen-o-death and my iptables firewall hasn't figured out that the connection is gone. 

My question(s) are: Is it normal for conntrack entries to hang around after the remote connection has terminated ungracefully? If so, should the state table be 'cleaned up' periodically (and how is this done)? 

And, what happens if/when the firewall exceeds the 65536 connection limit?

Thanks to anyone who can enlighten me on this!

Lori

ip_conntrack_max

[Fallucchi Antonio]

hi

i have the problem width "ip_conntrack: table full, dropping packet."

what is the good and max dimension  of the ip_conntrack_max ?

tanks.
bye

-- 

 ---------------------------------------------------------------
| |||||||    ||    |  Fallucchi Antonio Giuseppe  mat. 2282     |
| ||        ||||    |      --> Live free() of die() <--         |
| ||||     ||  ||    |        OpenSource philisophy             |
| ||      ||||||||    |  Universita' di Bologna sede di Cesena  |
| ||     ||      ||    |    Cdl di Scienze dell'Informazione    |
 ---------------------------------------------------------------

ip_conntrack_max

[Fallucchi Antonio]

hi

i have the problem width "ip_conntrack: table full, dropping packet."

what is the good and max dimension  of the ip_conntrack_max ?

tanks.
bye

Re: ip_conntrack_max

[Antony Stone]

On Thursday 08 July 2004 10:38 am, Fallucchi Antonio wrote:

> hi
>
> i have the problem width "ip_conntrack: table full, dropping packet."
>
> what is the good and max dimension  of the ip_conntrack_max ?

The answer to this depends on:

1. How many connections you need to support through your firewall.
2. How much memory you have in your machine (each connection table entry uses 
a small amount of memory, therefore this is what sets the limit on the 
maximum size you can make it on a given machine.

What is the output of "wc -l /proc/net/ip_conntrack", and how much memory do 
you have in your system?

Regards,

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ip_conntrack_max

[Evgeni Vachkov]

try http://leaf.sourceforge.net/doc/guide/bk05ch13.html

Regards, 
Evgeni

On Thu, 2004-07-08 at 10:38, Fallucchi Antonio wrote:
> hi
> 
> i have the problem width "ip_conntrack: table full, dropping packet."
> 
> what is the good and max dimension  of the ip_conntrack_max ?
> 
> tanks.
> bye

Re: ip_conntrack_max

[Fallucchi Antonio]

[-- Attachment #1: Type: text/html, Size: 1526 bytes --]

Re: ip_conntrack_max

[Antony Stone]

On Thursday 08 July 2004 11:31 am, Fallucchi Antonio wrote:

> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>

Oh, please don't post html to the list....

I'll edit the crap out of this so you can see my response, but I may not reply 
to other html emails....

> Antony Stone wrote:
>
> 1. How many connections you need to support through your firewall.
> 2. How much memory you have in your machine (each connection table entry
> uses a small amount of memory, therefore this is what sets the limit on the
> maximum size you can make it on a given machine.

> </blockquote>
> the memory of my machie is 128 MB, I don't know how many connection I
> have need..<br>

128Mbytes should be enough for a few thousand connections.   As for how many 
do you need, a starting point is:

1. How any client computers do you have in your LAN accessing the Internet 
through the firewall? (allow a maximum of 10 connections per PC at any given 
time - this will be an overestimate, but not by a ridiculous factor).

2. Do you run any servers on your DMZ accessible from the Internet?   Mail 
servers, web servers, and name servers will all generate different volumes of 
connections, but if you allow 50-100 connections per server, again that 
should be a worthwhile estimate.

> What is the output of "wc -l /proc/net/ip_conntrack", and how much memory
> do you have in your system?
>
> </blockquote>
> wc -l /proc/net/ip_conntrack<br>
> &nbsp;&nbsp;&nbsp; 626 /proc/net/ip_conntrack<br>

In that case something is wrong with your system.   626 connections is hardly 
anything - I do not see how you can be running out of conntrack table entries 
with only 626 current connections.

What is the value in /proc/sys/net/ipv4/ip_conntrack_max ?

Regards,

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

OT: Re: ip_conntrack_max

[Antony Stone]

On Thursday 08 July 2004 10:34 am, Fallucchi Antonio wrote:

 ---------------------------------------------------------------
| |||||||    ||    |  Fallucchi Antonio Giuseppe  mat. 2282     |
| ||        ||||    |      --> Live free() of die() <--         |
| ||||     ||  ||    |        OpenSource philisophy             |
| ||      ||||||||    |  Universita' di Bologna sede di Cesena  |
| ||     ||      ||    |    Cdl di Scienze dell'Informazione    |
 ---------------------------------------------------------------

You might want to change that to "Live free() or die()" and "OpenSource 
philosophy".   I'll assume the rest is spelled correctly :)

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ip_conntrack_max

[Fallucchi Antonio]

Antony Stone wrote:


oh!, excuse me for the html!

>128Mbytes should be enough for a few thousand connections.   As for how many 
>do you need, a starting point is:
>
>1. How any client computers do you have in your LAN accessing the Internet 
>through the firewall? (allow a maximum of 10 connections per PC at any given 
>time - this will be an overestimate, but not by a ridiculous factor).
>
>2. Do you run any servers on your DMZ accessible from the Internet?   Mail 
>servers, web servers, and name servers will all generate different volumes of 
>connections, but if you allow 50-100 connections per server, again that 
>should be a worthwhile estimate.
>
>  
>
very well, thancks.  I have 20 computer in the lan and 5 server.

Another questions: how I can limit the number of connection for every 
computer?

>In that case something is wrong with your system.   626 connections is hardly 
>anything - I do not see how you can be running out of conntrack table entries 
>with only 626 current connections.
>
>What is the value in /proc/sys/net/ipv4/ip_conntrack_max ?
>
>  
>
ip_conntrack_max now is 10240.


bye
Antonio!

Re: ip_conntrack_max

[Antony Stone]

On Thursday 08 July 2004 2:13 pm, Fallucchi Antonio wrote:

> Antony Stone wrote:
>
> oh!, excuse me for the html!

Thanks for turning it off.

> I have 20 computer in the lan and 5 server.

In that case a 128Mbyte machine should have no trouble.

> Another questions: how I can limit the number of connection for every
> computer?

This is difficult.   I think we should start by asking "what do you mean by a 
connection?"   Remember that many web browsers, for example, will open 5-10 
simultaneous connections in order to load all the elements of a web page.   
DNS needs its own connections in order to do name lookups.   Some connections 
are long-term (eg: telnet, ssh - even when you're not typing, the connection 
is still there), some are very transient (eg: http - once you have the page 
displayed, there's no connection between your browser and the server until 
you click on another hyperlink).

Why do you want to limit connections per machine?   What are you trying to 
achieve?

> >What is the value in /proc/sys/net/ipv4/ip_conntrack_max ?
>
> ip_conntrack_max now is 10240.

That sounds fine.   Tell us if you get "connection tracking table full" errors 
again.

Regards,

Antony.

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ip_conntrack_max

[James Sneeringer]

On Thu, Jul 08, 2004 at 03:13:09PM +0200, Fallucchi Antonio wrote:
> Another questions: how I can limit the number of connection for every 
> computer?

POM has a "connlimit" module that does this for TCP connections.  I have
not used it, so I don't know how well (or how poorly) it works.

http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-connlimit

-James

Re: ip_conntrack_max

[Fallucchi Antonio]

> <>
> This is difficult. I think we should start by asking "what do you mean 
> by a
> connection?" Remember that many web browsers, for example, will open 5-10
> simultaneous connections in order to load all the elements of a web page.
> DNS needs its own connections in order to do name lookups. Some 
> connections
> are long-term (eg: telnet, ssh - even when you're not typing, the 
> connection
> is still there), some are very transient (eg: http - once you have the 
> page
> displayed, there's no connection between your browser and the server 
> until
> you click on another hyperlink).
>
Thancks for the instruction..

> <>Why do you want to limit connections per machine? What are you 
> trying to
> achieve?
>
The problem are the P2P software that create any connection on the 
conntrack..
Because filter all p2p port is very difficult, I thought that to limit 
the number of simultaneous connection
is a gooa idea..

>That sounds fine.   Tell us if you get "connection tracking table full" errors 
>again.
>
>Regards,
>
>Antony.
>
>  
>
Bye

ps: it's ok the signature now?

-- 
 ---------------------------------------------------------------
| |||||||    ||    |  Fallucchi Antonio Giuseppe  mat. 2282     |
| ||        ||||    |      --> Live free() of die() <--         |
| ||||     ||  ||    |        OpenSource philosophy             |
| ||      ||||||||    |  Universita' di Bologna sede di Cesena  |
| ||     ||      ||    |    Cdl di Scienze dell'Informazione    |
 ---------------------------------------------------------------

Re: ip_conntrack_max

[Fallucchi Antonio]

> 
> This is difficult. I think we should start by asking "what do you mean 
> by a
> connection?" Remember that many web browsers, for example, will open 5-10
> simultaneous connections in order to load all the elements of a web page.
> DNS needs its own connections in order to do name lookups. Some 
> connections
> are long-term (eg: telnet, ssh - even when you're not typing, the 
> connection
> is still there), some are very transient (eg: http - once you have the 
> page
> displayed, there's no connection between your browser and the server 
> until
> you click on another hyperlink).
>
Thancks for the instruction..

> <>Why do you want to limit connections per machine? What are you 
> trying to
> achieve?
>
The problem are the P2P software that create any connection on the
conntrack..
Because filter all p2p port is very difficult, I thought that to limit
the number of simultaneous connection
is a gooa idea..

>That sounds fine.   Tell us if you get "connection tracking table full" errors 
>again.
>
>Regards,
>
>Antony.
>
>  
>
Bye

ps: it's ok the signature now?

-- 
  ---------------------------------------------------------------
| |||||||    ||    |  Fallucchi Antonio Giuseppe  mat. 2282     |
| ||        ||||    |      --> Live free() of die() <--         |
| ||||     ||  ||    |        OpenSource philosophy             |
| ||      ||||||||    |  Universita' di Bologna sede di Cesena  |
| ||     ||      ||    |    Cdl di Scienze dell'Informazione    |
  ---------------------------------------------------------------

Re: ip_conntrack_max

[Antony Stone]

On Thursday 08 July 2004 6:21 pm, Fallucchi Antonio wrote:

> > Why do you want to limit connections per machine? What are you
> > trying to achieve?
>
> The problem are the P2P software that create any connection on the
> conntrack..
> Because filter all p2p port is very difficult, I thought that to limit
> the number of simultaneous connection is a good idea..

I think the right solution for this problem is to connect your internal users 
through proxy machines, so they can't do direct P2P connections at all.

What network connections do your users need?   Email is SMTP / POP3 / IMAP to 
a local server (or a single specified server at your ISP).   HTTP / HTTPS / 
FTP you can proxy very simply through Squid.   DNS should be to a local 
caching server only (on the same machine as Squid for good Squid 
performance).   If you need to allow SSH, then only allow it from one 
specific machine on your network, which people have to connect through (and 
disable port forwarding).

I can't think of any other protocols you're likely to need, and this should 
stop all P2P activity as well as enhance the performance of your network by 
using a caching proxy server for the website which can be cached.

> ps: it's ok the signature now?

---------------------------------------------------------------
| |||||||    ||    |  Fallucchi Antonio Giuseppe  mat. 2282     |
| ||        ||||    |      --> Live free() of die() <--         |
| ||||     ||  ||    |        OpenSource philosophy             |
| ||      ||||||||    |  Universita' di Bologna sede di Cesena  |
| ||     ||      ||    |    Cdl di Scienze dell'Informazione    |
---------------------------------------------------------------

No, I don't quite think so - I think your want "or" instead of "of" in "Live 
free() or die()"?

Regards,

Antony.

-- 
"When you talk about Linux versus Windows, you're talking about which 
operating system is the best value for money and fit for purpose. That's a 
very basic decision customers can make if they have the information available 
to them. Quite frankly if we lose to Linux because our customers say it's 
better value for money, tough luck for us."

 - Steve Vamos, MD of Microsoft Australia

                                                     Please reply to the list;
                                                           please don't CC me.