|
|
|
|
|
|
by ismarc
4597 days ago
|
|
|
You should have a look to see how much memory the connection tracking table is actually taking up. IPTables stores a lot of its information in kernel space, but modifications are copied to user space, updated, then written back. As an example, for large project X with >100,000 users connecting through a linux-based gateway device, using a single firewall rule to allow access for each device grew larger than RAM available to the kernel. You can also tune the size of the connection tracking table (and pretty much everything else related), but 64k sessions was never a breaking point for us. |
|
|