Subject: Ipfilter practical limits?
To: None <>
From: Peter Eisch <>
List: tech-kern
Date: 03/17/2006 00:24:58
Does anyone have any practical limits, recommendations, guides or guidelines
on how to maximize a 3.0 system as a firewall.  I've been hitting state
table limits where the system just drops state for sessions without logging
any errors or warnings.  I'll see log entries of packets that are blocked
with the flags -AP for sessions that I'm tracing on the remote systems where
the session was normal until "something happened."

I ask here as I'm sure someone has coped with this before and the ipfilter
web pages/FAQ is notably more geared to "how to configure" readers than "how
to manage" managers.  That man pages give me handy info on how to run the
commands, but what can I do with it?

If the answer is "read the source like the rest of us", "this is off topic"
or such, I can handle that, I guess I'm wondering if there's a grail
somewhere and if there were a group of people who might know, it would be
this list.  So my apologies if this is out of line.

For example, from the ipfstat.8 man page I can read:

       -s     Show packet/flow state information (statistics only).

So when I run:

viper# ipfstat -s
IP states added:
        1619744 TCP
        430589 UDP
        10333 ICMP
        152554244 hits
        4091221 misses
        209433 maximum
        0 no memory
        98989 max bucket
        209433 maximum
        0 no memory
        866 bkts in use
        989 active
        0 expired
        78767 closed
State logging enabled

State table bucket statistics:
        866 in use 
        15.09% bucket usage
        0 minimal length
        4 maximal length
        1.142 average length


Where can I learn about if the "misses" are important?  If the bucket usage
reached 100%, would anything be logged?  What is "max bucket" and "maximum"
(either of them) and such?