* ip_conntrack limit && stateless firewalls @ 2005-02-11 14:49 Kevin Van Workum 2005-02-11 14:55 ` Tobias DiPasquale 0 siblings, 1 reply; 3+ messages in thread From: Kevin Van Workum @ 2005-02-11 14:49 UTC (permalink / raw) To: netfilter I'm having a problem with my firewall where packets are being dropped due to the ip_conntrack limit. I could up the limit, but my users need 30k+ connections simultaneously and with the minimum overhead. And I only have 1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to avoid dropped packets and reduce over head. How can I do this, and more importantly, would it be helpful. Kevin ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ip_conntrack limit && stateless firewalls 2005-02-11 14:49 ip_conntrack limit && stateless firewalls Kevin Van Workum @ 2005-02-11 14:55 ` Tobias DiPasquale 2005-02-13 12:22 ` Jose Maria Lopez Hernandez 0 siblings, 1 reply; 3+ messages in thread From: Tobias DiPasquale @ 2005-02-11 14:55 UTC (permalink / raw) To: netfilter On Fri, 11 Feb 2005 09:49:40 -0500, Kevin Van Workum <vanw@usna.edu> wrote: > I'm having a problem with my firewall where packets are being dropped due > to the ip_conntrack limit. I could up the limit, but my users need 30k+ > connections simultaneously and with the minimum overhead. And I only have > 1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to > avoid dropped packets and reduce over head. How can I do this, and more > importantly, would it be helpful. You can use the NOTRACK target on the traffic that is causing the problem (which will disable using ip_conntrack on that traffic), or you can decompile conntrack altogether. The latter would basically make the firewall stateless. man iptables for more info on using NOTRACK. -- [ Tobias DiPasquale ] 0x636f6465736c696e67657240676d61696c2e636f6d ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ip_conntrack limit && stateless firewalls 2005-02-11 14:55 ` Tobias DiPasquale @ 2005-02-13 12:22 ` Jose Maria Lopez Hernandez 0 siblings, 0 replies; 3+ messages in thread From: Jose Maria Lopez Hernandez @ 2005-02-13 12:22 UTC (permalink / raw) To: netfilter El vie, 11-02-2005 a las 09:55 -0500, Tobias DiPasquale escribió: > On Fri, 11 Feb 2005 09:49:40 -0500, Kevin Van Workum <vanw@usna.edu> wrote: > > I'm having a problem with my firewall where packets are being dropped due > > to the ip_conntrack limit. I could up the limit, but my users need 30k+ > > connections simultaneously and with the minimum overhead. And I only have > > 1 firewall box. So I'd like to disable or by-pass ip_conntrack some how to > > avoid dropped packets and reduce over head. How can I do this, and more > > importantly, would it be helpful. > > You can use the NOTRACK target on the traffic that is causing the > problem (which will disable using ip_conntrack on that traffic), or > you can decompile conntrack altogether. The latter would basically > make the firewall stateless. man iptables for more info on using > NOTRACK. > I just wanted to note that changing from CONNTRACK enabled rules to stateless rules implies changing all your rules and scripts. Maybe just limiting with NOTRACK the problematic protocols can be enough to solve the problem. And surely more computing power will be useful (CPU and RAM). Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@bgsec.com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-02-13 12:22 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-02-11 14:49 ip_conntrack limit && stateless firewalls Kevin Van Workum 2005-02-11 14:55 ` Tobias DiPasquale 2005-02-13 12:22 ` Jose Maria Lopez Hernandez
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox