add tunnable nf_conntrack_tcp_timeout_established value

[pve-firewall.git] / example / host.fw

diff --git a/example/host.fw b/example/host.fw
index 4d861078d8c6f8b2f6ddb69a668d7cae08a5226b..1bf6d86578ab2dc5a6eeecaeb8190e3393d7fdd3 100644 (file)
--- a/example/host.fw
+++ b/example/host.fw
@@ -15,6 +15,9 @@ policy_out: ACCEPT
 # allow more connections (default is 65536)
 nf_conntrack_max: 196608
 
+# reduce conntrack established timeout (default is 432000 - 5days)
+nf_conntrack_tcp_timeout_established: 7875
+
 # Enable firewall when bridges contains IP address.
 # The firewall is not fully functional in that case, so
 # you need to enable that explicitly