Subject: Re: Ipfilter practical limits?
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: Frank Kardel <kardel@netbsd.org>
List: tech-kern
Date: 03/17/2006 16:20:10
Manuel Bouyer wrote:

>On Fri, Mar 17, 2006 at 12:24:58AM -0600, Peter Eisch wrote:
>  
>
>>Does anyone have any practical limits, recommendations, guides or guidelines
>>on how to maximize a 3.0 system as a firewall.  I've been hitting state
>>table limits where the system just drops state for sessions without logging
>>any errors or warnings.  I'll see log entries of packets that are blocked
>>with the flags -AP for sessions that I'm tracing on the remote systems where
>>the session was normal until "something happened."
>>    
>>
>
>You can try to change
>#undef  LARGE_NAT
>to
>#define LARGE_NAT
>in ip_nat.h and rebuild a kernel.
>You can alsy try to bump IPSTATE_SIZE and IPSTATE_MAX in ip_state.h
>(not sure how the values have to be choosen; maybe IPSTATE_SIZE has to be
>a prime number, and IPSTATE_MAX a power of 2 + 1
>
>  
>
You can try, tell me if it works - at my site it just delayed entering 
the state of silence
a bit.

Frank