only update nf_conntrack_max if firewall is started