Herb Peyerl wrote:
> Here's a graph that shows the behavior:
> 
> http://www.beer.org/images/nat.png

Nice graph :)

Well, here comes my guess:
Your NAT table is getting full because old entries are not getting 
cleaned fast enough. Try changing DEF_NAT_AGE from the default of 10 
minutes to something quite small, say 10 seconds (?). And also define 
LARGE_NAT.

Under NetBSD 1.4, this should be IPFilter 3.3.x. So search ip_nat.h in 
your kernel source dir, define LARGE_NAT and define DEF_NAT_AGE	to 
something smaller: 20 for 10 seconds. Recompile the kernel.

> I do intend to upgrade the machine in a few weeks, but I'm afraid that 
> the problem will remain ...

I also think that this will remain. If my proposals work, you will 
always have to compile a custom kernel.

BTW: Why are IPFilter variables like timeouts and "ages" NOT 
sysctl'able, like in FreeBSD? This would be very helpful.


Regards

Felix