|
Title: Tuning TCP/IP stack for EFW Post by: vlongjvc on Saturday 28 August 2010, 05:06:25 pm Dear all,
I would like to share some my experiences with EFW, I find that EFW community edition's kernal is running with some default value and I need to tune it: echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established echo 20 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent Add above lines into /etc/rc.d/rc.firewall.local and use it at your own risk. ip_conntrack_tcp_timeout_established have default value is 432000 (5 days!!!) I think this is an amazing value for me, if too many connections not end properly their state is still Established for 5 days --->ip_conntrack: table full, dropping packet :-\ Any addition is welcome :) Title: Re: Tuning TCP/IP stack for EFW Post by: wavrunrx2 on Sunday 29 August 2010, 05:12:11 am excellent, thank you for that. :D
|