After upgrading my firewall/gateway from NetBSD 1.4.1 to the
NetBSD-release branch 1.4.2_ALPHA (sources from Feb 12) with ipfilter 
version 3.3.6 I got some serious problems.

The firewall works fine for hours and then started to reject most
connections. 

"ipfstat -s|grep ttl|wc -l" gave 2048, i.e., the maximum number of
states held defined by IPSTATE_MAX (ip_state.h) was reached.

Now I try a new kernel with a bigger IPSTATE_MAX. 
Is this the solution ?

Nevertheless, if there is a fixed upper bound of the keep-state table
entries you can simply run into a DoS situation ?
Are there some recommendations which size should I use ?

Regards,
Uwe