Dear all,
I would like to share some my experiences with EFW, I find that EFW community edition's kernal is running with some default value and I need to tune it:
echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 20 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans
echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
Add above lines into /etc/rc.d/rc.firewall.local and use it at your own risk.
ip_conntrack_tcp_timeout_established have default value is 432000 (5 days!!!) I think this is an amazing value for me, if too many connections not end properly their state is still Established for 5 days --->ip_conntrack: table full, dropping packet
Any addition is welcome
Author