Subject: Re: Ipfilter practical limits?
To: Manuel Bouyer <firstname.lastname@example.org>
From: Frank Kardel <email@example.com>
Date: 03/17/2006 16:20:10
Manuel Bouyer wrote:
>On Fri, Mar 17, 2006 at 12:24:58AM -0600, Peter Eisch wrote:
>>Does anyone have any practical limits, recommendations, guides or guidelines
>>on how to maximize a 3.0 system as a firewall. I've been hitting state
>>table limits where the system just drops state for sessions without logging
>>any errors or warnings. I'll see log entries of packets that are blocked
>>with the flags -AP for sessions that I'm tracing on the remote systems where
>>the session was normal until "something happened."
>You can try to change
>in ip_nat.h and rebuild a kernel.
>You can alsy try to bump IPSTATE_SIZE and IPSTATE_MAX in ip_state.h
>(not sure how the values have to be choosen; maybe IPSTATE_SIZE has to be
>a prime number, and IPSTATE_MAX a power of 2 + 1
You can try, tell me if it works - at my site it just delayed entering
the state of silence