Subject: Re: Ipfilter practical limits?
To: Peter Eisch <>
From: Frank Kardel <>
List: tech-kern
Date: 03/17/2006 11:18:16
Peter Eisch wrote:

>Does anyone have any practical limits, recommendations, guides or guidelines
>on how to maximize a 3.0 system as a firewall.  I've been hitting state
>table limits where the system just drops state for sessions without logging
>any errors or warnings.  I'll see log entries of packets that are blocked
>with the flags -AP for sessions that I'm tracing on the remote systems where
>the session was normal until "something happened."
To add a datapoint here - I have seen such effects also. Suddenly new 
were not progressing. Not errors logged. exorbitant number of states.

Also increasing limits and reducing state timeouts didn't help much.
As this was on a production system I couldn't debug it long enough.
So I switched to pf which works fine. Before 3.0 we had 1.6.1 running 
without a hitch (no crashes, not stalls).

please send-pr this - it now seems that I was not seeing ghosts.