Subject: Re: Ipfilter practical limits?
To: Frank Kardel <>
From: Peter Eisch <>
List: tech-kern
Date: 03/17/2006 10:20:46
On 3/17/06 4:18 AM, "Frank Kardel" <> wrote:

> Peter Eisch wrote:
>> Does anyone have any practical limits, recommendations, guides or guidelines
>> on how to maximize a 3.0 system as a firewall.  I've been hitting state
>> table limits where the system just drops state for sessions without logging
>> any errors or warnings.  I'll see log entries of packets that are blocked
>> with the flags -AP for sessions that I'm tracing on the remote systems where
>> the session was normal until "something happened."
> To add a datapoint here - I have seen such effects also. Suddenly new
> connections
> were not progressing. Not errors logged. exorbitant number of states.
> Also increasing limits and reducing state timeouts didn't help much.
> As this was on a production system I couldn't debug it long enough.
> So I switched to pf which works fine. Before 3.0 we had 1.6.1 running
> solidly
> without a hitch (no crashes, not stalls).
> please send-pr this - it now seems that I was not seeing ghosts.

To the dismay of my managers, I will see if I can collect some info when it
hits the wall.  I've built a cron task that logs the state table count,
bucket usage count and bucket usage % and I've assigned a drone to tail the
log.  I'd anticipate that we see if I'm just hitting the ipfilter limits on
Monday or Tuesday around 11AM CST.  If I can get some real numbers to put in
a PR, I'll make it so.

I haven't even looked at pf before, so I have a little learning curve to
port our config and I have a weekend to learn it.  Or rewrite my ipf rules
to not keep state for as many sessions, but I have reasons to keep state for
these sessions.

Manuel: I've upped the limits (LARGE_NAT) and increased the NMBCLUSTERS to
8192 (thought it never complained with cluster shortages) already and that
bought me about two weeks but our user growth caught up.

Thanks for the responses,