All, I ran into this some time ago and thought I should share it -- on a server running iptables that's got a heavy network load, these can make a big difference. Netfilter (iptables is the main interface command) is a stateful firewall so it tracks connections. This means that it allocates a certain amount of real RAM when the system boots to hold the Connection Tracking Table. Resizing this table requires a reboot. Something you NEVER want to see is console messages that say: ip_conntrack: table full, dropping packet When I ran into these, I had to do some digging, and found out how to resize the conntrack table, as well as how to decrease the time out value for connections (default for Red Hat is 5 days!). Changing the time out value doesn't require a reboot; changing the table size to an appropriate value for your workload does. Under Red Hat/Fedora/Centos, in /etc/sysctl.conf (takes effect at boot time): # Set Conntrack time out to 12 hours net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 43200 # Set the size of the conntrack table (old and new versions): net.ipv4.ip_conntrack_max = XXXXXXX net.ipv4.netfilter.ip_conntrack_max = XXXXXXX Dynamically change the time out value on the running system (note spaces around the = in the sysctl file, but not here!): sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=43200 These helped, but what really made the biggest difference was this: I found that the conntrack table had a LOT of entries for traffic from 127.0.0.1 (!!) Yes, netfilter will track ALL network traffic. If your kernel is 2.6.9 or above, this command should work to tell netfilter to not track localhost traffic: iptables -t raw -A OUTPUT -o lo -j NOTRACK After doing this on several mail relay servers we saw the number of entries in the conntrack table drop to about half what they had been. Of course, they don't drop right away -- existing table entries have to time out. Hopefully this may save some of you some headaches. Richard Wilson --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss