Subject: Re: Ipfilter practical limits?
To: Peter Eisch <email@example.com>
From: Manuel Bouyer <firstname.lastname@example.org>
Date: 03/17/2006 15:09:11
On Fri, Mar 17, 2006 at 12:24:58AM -0600, Peter Eisch wrote:
> Does anyone have any practical limits, recommendations, guides or guidelines
> on how to maximize a 3.0 system as a firewall. I've been hitting state
> table limits where the system just drops state for sessions without logging
> any errors or warnings. I'll see log entries of packets that are blocked
> with the flags -AP for sessions that I'm tracing on the remote systems where
> the session was normal until "something happened."
You can try to change
in ip_nat.h and rebuild a kernel.
You can alsy try to bump IPSTATE_SIZE and IPSTATE_MAX in ip_state.h
(not sure how the values have to be choosen; maybe IPSTATE_SIZE has to be
a prime number, and IPSTATE_MAX a power of 2 + 1
Manuel Bouyer <email@example.com>
NetBSD: 26 ans d'experience feront toujours la difference