On Wed, Oct 24, 2001 at 11:18:42PM +0200, Emmanuel Dreyfus wrote:
> Hi
> 
> I'm running an IPFilter based firewall in front of about 800 machines. I
> use keep-state rules to enable outgoing traffic, and I have a keep-state
> rule for each interface (one in, one out). 
> 
> After some time, it's getting hard to initiate a connection: the first
> packet passes, according to the filter rules, but the state cache is not
> updated. The reply packet comes and is blocked (because the state cache
> does not say it should go through). I have to do ipf -F -S to get things
> working again. I have to do it regularly using a crontab to get the
> machine doing its job correctly.
> 
> I'm running 1.5.2/i386. Is there anything particular I should tune? Is
> there a known bug? 

how many entries is there in the state table ?
See LARGE_NAT in net/ip_nat.h, maybe it's the problem.

--
Manuel Bouyer <bouyer@antioche.eu.org>
--