On Mon, Mar 27, 2006 at 03:34:21PM -0600, Peter Eisch wrote:
> On 3/27/06 2:32 PM, "Darren Reed" <darrenr@NetBSD.org> wrote:
> 
> > On Mon, Mar 27, 2006 at 12:14:28PM -0600, Peter Eisch wrote:
> >> 
> >> Short of reading source, is there a practical guide for how to tune ipfilter
> >> or how to use each of the configurable parameters?
> > 
> > Unfortunately no.
> > 
> 
> When the state table is full or when the bucket usage reaches 100% (not sure
> which), what happens to subsequent connections?  I was observing that
> sessions that should have had state were simply getting blocked with -AP
> once the session no longer matched the 'flags S/SA' in the rules.

This has nothing to do with "fullness" of the tables.  I expect you're
seeing packets blocked due to bugs in tracking window scaling, more
than anything else and otherwise because the packets that are arriving
are too far out of sequence for ipfilter to deal with in stateful
matching.

> Should there have been a message somewhere that the insert into the state
> table failed or there was no more memory available?

When the limits are reached, you'll see a non-zero number next to the
line with "maximum" in it from running "ipfstat -s".

> Are you aware of any institutions that use ipfilter as a firewall appliance
> as opposed to a local host interface?  I am using it in a configuration
> where a Big IP or cisco director system might be used (lots of round-robin
> definitions).  

Yes.  People have used it in more kinds of scenarios than I can imagine.

Darren