• Home
  • Personal
  • Tech
  • Politics
  • Photography

  • Netfilter Conntrack Memory Usage

    June 17th, 2009

    On a busy Linux Netfilter-based firewall, you usually need to up the maximum number of allowed tracked connections (or new connections will be denied and you’ll see log messages from the kernel link this: nf_conntrack: table full, dropping packet.

    More connections will use more RAM, but how much?  We don’t want to overcommit, as the connection tracker uses unswappable memory and things will blow up. If we set aside 512MB for connection tracking, how many concurrent connections can we track?

    There is some Netfilter documentation on wallfire.org, but it’s quite old. How can we be sure it’s still correct without completely understanding the Netfilter code? Does it account for real life constraints such as page size, or is it just derived from looking at the code? A running Linux kernel gives us all the info we need through it’s slabinfo proc file.
    Read the rest of this entry »

    Tags: conntrack, firewall, iptables, kernel, limit, linux, max, netfilter, performance, ram, slab

    Posted in Tech | 1 Comment »

  • netfilter ip_conntrack_ftp and tls

    December 7th, 2005

    Here I am attempting to connect to a server using lftp wondering why the firewall is blocking the incoming data connections, even though ip_conntrack_ftp has been working for years.

    lftp supports tls, and so does the server I’m connecting to. This means the control connection is encrypted, so the netfilter ftp connection tracker can’t peek inside the packets to find out which ports to open up to allow the data connections. DUH. Ftp sucks.

    Anyway, the only way I found to disable tls support in lftp is to add the following line to ~/.lftp/rc:

    set ftp:ssl-allow false
    Tags: conntrack, firewall, ftp, lftp, linux, netfilter, tcp, tls

    Posted in Networks and Firewalls, Tech | 2 Comments »

  • John Leach

    • John Leach is a human being living in Leeds, UK.

  • Twitter

    • John is finally sitting down to watch Terminator 2 after @louisa_ insisted we watch 1 first. She, of course, was right to insist. 8 hrs ago
    • More twitter updates →

  • Author Stuff

    • Brightbox Rails Hosting
    • Compost This
    • ELER Web Comic
    • New World Odour
    • News Sniffer
    • Photography
    • Profile and History
    • Recycle This
    • The Gillroyd Parade
    • Things to do today
    • Website

  • Friends

    • Caius Durling
    • Deb Bassett
    • Gianni Tedesco
    • Ian Higgins
    • Louisa Parry
    • Rahoul Baruah
    • Sleepy Kev
    • Tim Waters
    • Tom Hall

  • Stuff

    • ifup
    • Media Lens
    • Mia Bambina
    • News from nowhere

  • Meta

    • Log in
    • Entries RSS
    • Comments RSS

  • Search

Creative Commons License The text of this blog is licensed under the Creative Commons BY-ND license