>> > >From /sys/netinet/ip_state.c, I ca nsee that the default timeout for
>> > entries in the state table is 5 days. This souns incredibly long to me.
>> > Is there any drawback to lower this? Why has it been chosen so long?
>> What's the longest a telnet/ssh/rlogin window has been open but idle on
>> your desktop ?
>
>Ok, I understand better.
> 
>Are the entry properly removed when the connection is finished? The
>table seems to be stabilized with about 19000 entries (no typo), and it
>seems quite big to me.

if you look at the output of ipnat -lv, you can see the "age" of the
entry which gradually counts down to zero.  when a tcp connection is
closed down (the fin/finack/ack exchange is completed), the "age" for
a tcp entry in the nat table is dropped to five minutes.  it is not
removed entirely due to the 2msl timeout required by tcp before a
given connection can be reused.  after the five minutes expires, the
entry is removed completely.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."