In some email I received from Uwe Klaus, sie wrote:
> 
> After upgrading my firewall/gateway from NetBSD 1.4.1 to the
> NetBSD-release branch 1.4.2_ALPHA (sources from Feb 12) with ipfilter 
> version 3.3.6 I got some serious problems.
> 
> The firewall works fine for hours and then started to reject most
> connections. 
> 
> "ipfstat -s|grep ttl|wc -l" gave 2048, i.e., the maximum number of
> states held defined by IPSTATE_MAX (ip_state.h) was reached.

The head of "ipfstat -s" should show you how many are being dropped
because of this.

> Now I try a new kernel with a bigger IPSTATE_MAX. 
> Is this the solution ?

Yes.  If NetBSD had better sysctl support, then you wouldn't need to
but alas...

> Nevertheless, if there is a fixed upper bound of the keep-state table
> entries you can simply run into a DoS situation ?

Correct.  I'd argue that is better than running out of kernel memory.

> Are there some recommendations which size should I use ?

It is completely dependant on what your usage is.

For me, the defaults are excessive, but then it's just *me*.

Darren