Networking overloaded (WAS: Re: confirm 3454f2d8611cde291b81fa177d2434593f5e6d36)

[Mel]

Hiya,

On Thursday 04 October 2007 14:03:23 edward.serrofq at tropic.org.uk wrote:

> I have a 5.3 installation which currently has about 5000 'ESTABLISHED' TCP
> connections.  That figure quadruples in the evening.
>
> Are there any sysctls that I should be tweaking to handle lots of TCP
> connections?

2 things are key to answering first:
1) Are these valid/wanted connections?

I assume if this is caused by your ftp server being filled with PSX downloads, 
because your anon user has write privileges, you don't want to increase your 
connection possibilities.

2) Do you have memory free at top load?

If you don't have (a lot of) spare memory at connection peak, adding the 
ability for more connections will simply slow down your machine and possibly 
lock it up.

> The machine is running pf -- is there some logging I could be doing to see
> if pf is being overloaded?

Unless you're using synproxy states, pf doesn't create connections - at best 
rewrites them. In your case, using synproxy states might actually be a 
benefit, depending what's causing the high load.
Also, is this a firewall only or does it have locally generated traffic?

> Is there anything else I could be doing to see if some part of the OS is
> failing to handle load?

It would help if you describe what's running on the machine, most notably, are 
these connections to one or more servers running on your machine or is your 
bittorrent client going bonkers, that kinda thing.
sockstat(1) is a very useful tool for identifying that. Better save the output 
to file first with a load like that, for example:
sockstat -4c > /tmp/net.load will list all the connected IPv4 sockets to 
file /tmp/net.load.

-- 
Mel