ip_conntrack limit && stateless firewalls

ip_conntrack limit && stateless firewalls

[Kevin Van Workum]

I'm having a problem with my firewall where packets are being dropped due 
to the ip_conntrack limit. I could up the limit, but my users need 30k+ 
connections simultaneously and with the minimum overhead. And I only have 
1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to 
avoid dropped packets and reduce over head. How can I do this, and more 
importantly, would it be helpful.

Kevin

Re: ip_conntrack limit && stateless firewalls

[Tobias DiPasquale]

On Fri, 11 Feb 2005 09:49:40 -0500, Kevin Van Workum <vanw@usna.edu> wrote:
> I'm having a problem with my firewall where packets are being dropped due
> to the ip_conntrack limit. I could up the limit, but my users need 30k+
> connections simultaneously and with the minimum overhead. And I only have
> 1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to
> avoid dropped packets and reduce over head. How can I do this, and more
> importantly, would it be helpful.

You can use the NOTRACK target on the traffic that is causing the
problem (which will disable using ip_conntrack on that traffic), or
you can decompile conntrack altogether. The latter would basically
make the firewall stateless. man iptables for more info on using
NOTRACK.

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

Re: ip_conntrack limit && stateless firewalls

[Jose Maria Lopez Hernandez]

El vie, 11-02-2005 a las 09:55 -0500, Tobias DiPasquale escribió:
> On Fri, 11 Feb 2005 09:49:40 -0500, Kevin Van Workum <vanw@usna.edu> wrote:
> > I'm having a problem with my firewall where packets are being dropped due
> > to the ip_conntrack limit. I could up the limit, but my users need 30k+
> > connections simultaneously and with the minimum overhead. And I only have
> > 1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to
> > avoid dropped packets and reduce over head. How can I do this, and more
> > importantly, would it be helpful.
> 
> You can use the NOTRACK target on the traffic that is causing the
> problem (which will disable using ip_conntrack on that traffic), or
> you can decompile conntrack altogether. The latter would basically
> make the firewall stateless. man iptables for more info on using
> NOTRACK.
> 

I just wanted to note that changing from CONNTRACK enabled
rules to stateless rules implies changing all your rules
and scripts.

Maybe just limiting with NOTRACK the problematic protocols
can be enough to solve the problem. And surely more computing
power will be useful (CPU and RAM).

Regards.


-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"