Re: PF Problems

To: Steve Pribyl <spribyl%peel.com@localhost>
Subject: Re: PF Problems
From: "Brian A. Seklecki" <seklecki%noc.cfi.pgh.pa.us@localhost>
Date: Fri, 17 Jul 2009 19:05:58 -0400

On Fri, 2009-07-17 at 09:36 -0500, Steve Pribyl wrote:
> Patrick,
> 
> Thanks for responding.  I will start watching this.

% pfctl -x loud or % pfctl -s misc 
  ... when it gets slow

Also, the defaults are a bit low for HPC environments.  Try:

  # Sanitize incoming traffic (All PIX sanitization is disabled)
  set optimization aggressive
  
  set limit  { states 200000, frags 200000, src-nodes 200000,\
  table-entries 200000}

  scrub on $if_ext all fragment reassemble

"netstat -s" and "netstat -m" when it becomes slow, as well.

~BAS

References:
- PF Problems
  - From: Steve Pribyl
- Re: PF Problems
  - From: Patrick Welche
- Re: PF Problems
  - From: Steve Pribyl

Prev by Date: Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities
Next by Date: Re: dhcpd dup my socket?
Previous by Thread: Re: PF Problems
Next by Thread: re(4) and Realtek 8168
Indexes:

Home | Main Index | Thread Index | Old Index