Mike Egglestone said: > Hi, > I'm wondering if ipmasq has a max connections or if it has > a limit of the number of IP's it can masq at the same time? > > I would like to guess that there is no limit, or maybe the limit > is really high, like around 65,000 or something.
if your only masqing using 1 real IP the limit of connections is in the realm of 64,000 connections tops. Some software programs i've read can horribly abuse their network connections causing one app to use thousands of ports on a NAT server. I reccomend monitoring your users and/or using mutliple IPs to NAT. I am not certain how this is done in Linux(haven't tried) but it is possible in freebsd using ipfw and ipf(ipf works on other commercial unixes as well). If theres a lot of web traffic a good way to cut down on ports in use is to use a proxy server and force all traffic through it(the proxy would probably have to run on the NAT server itself for it to not consume NAT entries). You can do this using transparent proxy setups(pretty easy to do). you don't mention what kernel your using, but at least under linux 2.2(not sure about 2.4) you can list your NAT'd connections by doing: netstat -M sample output: P masquerading entries prot expire source destination ports tcp 240:00.00 aphro.aphroland.org www8.dcx.yahoo.com 2646 -> www (61947) icmp 0:42.53 sentry.aphroland.org penguin.linuxpowered.net 36961 -> 8 (61946) Again, using ipchains(haven't used linux 2.4 myself much) you can also adjust the time a connection is allowed to be maintained using: /sbin/ipchains -M -S 14400 600 600 (see the manpage/docs for details) the shorter the limit the quicker NAT connections will get terminated and the more new connecitons can be made. Note the above settings are for a VERY VERY long limit since my network usually has 1 or 2 machines accessing the net at any given point(infact when I went to run netstat -M I had to trigger some NAT activity because my NAT tables were empty) I also reccomend tracking open connections on the system as well as an indication. I use this SNMP variable: .1.3.6.1.2.1.6.9.0 which when shoved into MRTG spits out a nice graph like: http://mrtg.aphroland.org/portal.aphroland.org/portal.aphroland.org.tcpopen.html I plan to make available extensive docs on how to put MRTG to good use soon so if your interested, keep an eye out. nate nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
