Subject: Re: Ipfilter practical limits?
To: Peter Eisch <>
From: Manuel Bouyer <>
List: tech-kern
Date: 03/17/2006 15:09:11
On Fri, Mar 17, 2006 at 12:24:58AM -0600, Peter Eisch wrote:
> Does anyone have any practical limits, recommendations, guides or guidelines
> on how to maximize a 3.0 system as a firewall.  I've been hitting state
> table limits where the system just drops state for sessions without logging
> any errors or warnings.  I'll see log entries of packets that are blocked
> with the flags -AP for sessions that I'm tracing on the remote systems where
> the session was normal until "something happened."

You can try to change
#undef  LARGE_NAT
#define LARGE_NAT
in ip_nat.h and rebuild a kernel.
You can alsy try to bump IPSTATE_SIZE and IPSTATE_MAX in ip_state.h
(not sure how the values have to be choosen; maybe IPSTATE_SIZE has to be
a prime number, and IPSTATE_MAX a power of 2 + 1

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference