Subject: Ipfilter practical limits?
To: None <tech-kern@netbsd.org>
From: Peter Eisch <peter@boku.net>
List: tech-kern
Date: 03/17/2006 00:24:58
Does anyone have any practical limits, recommendations, guides or guidelines
on how to maximize a 3.0 system as a firewall. I've been hitting state
table limits where the system just drops state for sessions without logging
any errors or warnings. I'll see log entries of packets that are blocked
with the flags -AP for sessions that I'm tracing on the remote systems where
the session was normal until "something happened."
I ask here as I'm sure someone has coped with this before and the ipfilter
web pages/FAQ is notably more geared to "how to configure" readers than "how
to manage" managers. That man pages give me handy info on how to run the
commands, but what can I do with it?
If the answer is "read the source like the rest of us", "this is off topic"
or such, I can handle that, I guess I'm wondering if there's a grail
somewhere and if there were a group of people who might know, it would be
this list. So my apologies if this is out of line.
For example, from the ipfstat.8 man page I can read:
-s Show packet/flow state information (statistics only).
So when I run:
viper# ipfstat -s
IP states added:
1619744 TCP
430589 UDP
10333 ICMP
152554244 hits
4091221 misses
209433 maximum
0 no memory
98989 max bucket
209433 maximum
0 no memory
866 bkts in use
989 active
0 expired
78767 closed
State logging enabled
State table bucket statistics:
866 in use
15.09% bucket usage
0 minimal length
4 maximal length
1.142 average length
viper#
Where can I learn about if the "misses" are important? If the bucket usage
reached 100%, would anything be logged? What is "max bucket" and "maximum"
(either of them) and such?
peter