Subject: Re: IPFilter practical limits?
To: Darren Reed <darrenr@NetBSD.org>
From: Peter Eisch <firstname.lastname@example.org>
Date: 03/27/2006 15:34:21
On 3/27/06 2:32 PM, "Darren Reed" <darrenr@NetBSD.org> wrote:
> On Mon, Mar 27, 2006 at 12:14:28PM -0600, Peter Eisch wrote:
>> Short of reading source, is there a practical guide for how to tune ipfilter
>> or how to use each of the configurable parameters?
> Unfortunately no.
When the state table is full or when the bucket usage reaches 100% (not sure
which), what happens to subsequent connections? I was observing that
sessions that should have had state were simply getting blocked with -AP
once the session no longer matched the 'flags S/SA' in the rules.
Should there have been a message somewhere that the insert into the state
table failed or there was no more memory available?
Are you aware of any institutions that use ipfilter as a firewall appliance
as opposed to a local host interface? I am using it in a configuration
where a Big IP or cisco director system might be used (lots of round-robin
Would pf get me an interface to introduce a shared state table across
multiple systems? (Redundancy has been my next road to travel.) I need to
protect servers of lots of low-bandwidth connections (>6000) and I've been
looking at options for growing.
I guess I should fire up a system with pf and take it for a drive. I see it
more as a tool for honeypot scripters or for people who have trouble getting
around ipf.conf rulesets. (which could have been me 4 years ago -- not
claiming any elitist status) Maybe its more flexible for what I need. (?)
Thank you for your time, Darren (and software),