[Shorewall-users] Firewall sizing guidelines?
teastep at shorewall.net
Mon Apr 19 14:13:41 PDT 2004
Shawn Wright wrote:
> On 19 Apr 2004 at 10:39, Tom Eastep wrote:
>>Shawn Wright wrote:
>>>Any other tools I can look at for gauging the performance, etc?
>>You probably want to keep track of your connection tracking table usage:
>>gateway:~# cat /proc/sys/net/ipv4/ip_conntrack_max
>>gateway:~# grep ip_conntrack /proc/slabinfo
>>ip_conntrack 107 240 320 17 20 1
>>The first command shows that I have a maximum of 16384 entries in my
>>connection tracking table.
>>The second entry shows that:
>>a) There are 107 active entries.
>>b) There are 240 allocated entries.
>>c) Each entry is 320 bytes long.
>>You can dynamically change the size of the table by echoing new values
>>into /proc/sys/net/ipv4/ip_conntrack_max. Such dynamic updates don't
>>survive a reboot of course so you probably want to use your distro's
>>method of setting these values (with Mandrake, it's /etc/sysctl.conf).
> Tom, Thanks for this info.
> Below are my current stats, but the machine was rebooted last night, so
> the numbers probably haven't peaked yet. Our heaviest traffic will be later
> [root at fw console]# cat /proc/sys/net/ipv4/ip_conntrack_max
> [root at fw console]# grep ip_conntrack /proc/slabinfo
> ip_conntrack 622 1920 320 56 160 1
> I'm guessing that the default of 6144 could probably be bumped up a bit.
> But are there other factors to consider before doing so?
The only factor is the amount of memory that you can afford to dedicate
to connection tracking.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users