Subject: Re: IPFilter practical limits?
To: Darren Reed <>
From: Peter Eisch <>
List: tech-kern
Date: 03/27/2006 15:34:21
On 3/27/06 2:32 PM, "Darren Reed" <> wrote:

> On Mon, Mar 27, 2006 at 12:14:28PM -0600, Peter Eisch wrote:
>> Short of reading source, is there a practical guide for how to tune ipfilter
>> or how to use each of the configurable parameters?
> Unfortunately no.

When the state table is full or when the bucket usage reaches 100% (not sure
which), what happens to subsequent connections?  I was observing that
sessions that should have had state were simply getting blocked with -AP
once the session no longer matched the 'flags S/SA' in the rules.

Should there have been a message somewhere that the insert into the state
table failed or there was no more memory available?

Are you aware of any institutions that use ipfilter as a firewall appliance
as opposed to a local host interface?  I am using it in a configuration
where a Big IP or cisco director system might be used (lots of round-robin

Would pf get me an interface to introduce a shared state table across
multiple systems?  (Redundancy has been my next road to travel.)  I need to
protect servers of lots of low-bandwidth connections (>6000) and I've been
looking at options for growing.

I guess I should fire up a system with pf and take it for a drive.  I see it
more as a tool for honeypot scripters or for people who have trouble getting
around ipf.conf rulesets.  (which could have been me 4 years ago -- not
claiming any elitist status)  Maybe its more flexible for what I need.  (?)

Thank you for your time, Darren (and software),