Subject: Ipfilter practical limits?
To: None <firstname.lastname@example.org>
From: Peter Eisch <email@example.com>
Date: 03/17/2006 00:24:58
Does anyone have any practical limits, recommendations, guides or guidelines
on how to maximize a 3.0 system as a firewall. I've been hitting state
table limits where the system just drops state for sessions without logging
any errors or warnings. I'll see log entries of packets that are blocked
with the flags -AP for sessions that I'm tracing on the remote systems where
the session was normal until "something happened."
I ask here as I'm sure someone has coped with this before and the ipfilter
web pages/FAQ is notably more geared to "how to configure" readers than "how
to manage" managers. That man pages give me handy info on how to run the
commands, but what can I do with it?
If the answer is "read the source like the rest of us", "this is off topic"
or such, I can handle that, I guess I'm wondering if there's a grail
somewhere and if there were a group of people who might know, it would be
this list. So my apologies if this is out of line.
For example, from the ipfstat.8 man page I can read:
-s Show packet/flow state information (statistics only).
So when I run:
viper# ipfstat -s
IP states added:
0 no memory
98989 max bucket
0 no memory
866 bkts in use
State logging enabled
State table bucket statistics:
866 in use
15.09% bucket usage
0 minimal length
4 maximal length
1.142 average length
Where can I learn about if the "misses" are important? If the bucket usage
reached 100%, would anything be logged? What is "max bucket" and "maximum"
(either of them) and such?