diff --git a/passt.c b/passt.c
index 12b10dc..466cae8 100644
--- a/passt.c
+++ b/passt.c
@@ -787,7 +787,7 @@ int main(int argc, char **argv)
 
 	fd_unix = sock_unix();
 
-	if (icmp_sock_init(&c) || tcp_sock_init(&c) || udp_sock_init(&c))
+	if (icmp_sock_init(&c) || udp_sock_init(&c) || tcp_sock_init(&c))
 		exit(EXIT_FAILURE);
 
 	if (c.v6)
diff --git a/tcp.c b/tcp.c
index bab07ab..d70267b 100644
--- a/tcp.c
+++ b/tcp.c
@@ -319,7 +319,7 @@
 #include "siphash.h"
 
 /* Approximately maximum number of open descriptors per process */
-#define MAX_CONNS			(256 * 1024)
+#define MAX_CONNS			(1024 * 1024)
 
 #define TCP_HASH_TABLE_LOAD		70		/* % */
 #define TCP_HASH_TABLE_SIZE		(MAX_CONNS * 100 / TCP_HASH_TABLE_LOAD)
@@ -924,6 +924,11 @@ static void tcp_conn_from_tap(struct ctx *c, int af, void *addr,
 	if (s < 0)
 		return;
 
+	if (s >= MAX_CONNS) {
+		close(s);
+		return;
+	}
+
 	tc[s].mss_guest = tcp_opt_get(th, len, OPT_MSS, NULL, NULL);
 	if (tc[s].mss_guest < 0)
 		tc[s].mss_guest = MSS_DEFAULT;
@@ -1003,6 +1008,11 @@ static void tcp_conn_from_sock(struct ctx *c, int fd, struct timespec *now)
 	if (s == -1)
 		return;
 
+	if (s >= MAX_CONNS) {
+		close(s);
+		return;
+	}
+
 	CHECK_SET_MIN_MAX(c->tcp.fd_, s);
 	CHECK_SET_MIN_MAX(c->tcp.fd_conn_, s);