[KLUG Members] A plea for firewall ideas
Adam Tauno WIlliams
adam at morrison-ind.com
Wed Sep 1 09:03:12 EDT 2004
> We are sending ~250k messages an hour during these problems, and I'm not
> worried about mail server throughput, only firewall throughput. The two
> mail servers are behind the firewall, not on the firewall.
Honestly, it is hard to believe there is a legitimate use for that
quantity of messages. Thats a message for every resident of the state
of Michigan in only a few hours; major universities don't generate that
much traffic.
> >>>not just normal mail, but large amounts of mail for clients. We have two
> >>>servers that will send this mail, and the activity usually peaks at 8
> >>>Mbit for about 4 hours (Connections come in from one f the internal
> >>>zones, gets SNATted on the way out, etc).
How big is your Internet pipeline?
> >>I'm not following why email would be different than other internet
> >>traffic, and why passing traffic should use so much CPU power.
> In speaking with someone else, it was a matter of "open TCP
> connections", not just 'how much traffic I'm sending'.
This is possible with that insane number of connections, you might just
want to try adjusting FIN/ACK timeouts as you probably have lots dead
remotes with that number of connections. There are several TCP
connection handling parameters available via sysctl.
Some are covered in -
ftp://ftp.kalamazoolinux.org/pub/pdf/PerfTune2001.pdf
More information about the Members
mailing list