Subject: Re: IPFilter practical limits?
To: None <email@example.com>
From: Darren Reed <darrenr@NetBSD.org>
Date: 03/24/2006 05:42:34
If you want to tune the table sizes and used by IPFilter,
you can use the "-T" command line option for IPFilter.
If you do "ipf -T list", you'll be presented with a list
of tunables, their current, minimum and maximum values.
Some of the values can only be changed with IPFilter is
disabled (ipf -D). If you want to make a setting permanent,
you need to make it part of /etc/rc.d/ipfilter.
"Misses" are the packets that are received or sent by the system
that do not match any state.
The important number in "ipfstat -s" output is "Maximum", you
ideally want that to be 0, along with "max bucket".