> what window size would you suggest? what are the advantages and
> disadvantages? does the window size depend on the number of machines and
> traffic? I know what a window is in the tcp protocol, but i wasnt sure if
> it was what this was referring to.
From the kernel help:
This should be set to the largest number of connections that you
expect to be in the act of being classified at any given time. In
other words, if you expect that it will take 1 second to classify
each connection (probably an overestimate), and you expect 100 new
connections every second, this should be set to at least 100.
The consequences of setting this too low are minimal. Whenever
l7-filter detects an active connection has been overwritten, it will
write a message to the system log saying so. That connection will
be classified as unknown.
The consequences of setting this too high are that each spot in the
window uses 1-2kB of memory.
If you use the Netfilter version, you won't have to worry about this.
(subliminal message: use the Netfilter version.)