I’d hesitate disabling it altogether, unless you’re absolutely certain nothing will need it. One suggestion I haven’t seen mentioned is looking at the other sysctl options that might be tweaked. Check with netstat how many of those connections are stuck in established, close wait, time waiting, etc. It’s possible you just need to lower the default values of things like nf_conntrack_tcp_timeout_established, for example. www.kernel.org/doc/…/nf_conntrack-sysctl.html - naturally, research anything you think you might want to change before you do.