ip_conntrack and APF issue

A server is limited to a certain number of TCP/IP connections that it can keep track of.

ip_conntrack is a module which has the limit set in its conntrack database. If the table exceeds this limit, even the legitimate packets will be dropped.

We usually tweak this parameter in the sysctl.conf file.

But if you have APF installed, even if you set the sysctl parameter, APF will reset the conntrack value, since APF configuration file has conntrack value set to 34576 by default.  [SYSCTL_CONNTRACK=”34576″].

So in servers having APF, you would need to increase the above parameter and then restart APF.


Both comments and pings are currently closed.

Comments are closed.