On Wed, 15 Nov 2006 08:57:01 +0100, Christoph Kaegi <kgc@zhwin.ch> wrote:

> 
> Hello list
> 
> Thanks to the help of Manuel, I found the above mentionned
> setting which defines the size of the (per-adapter?) IP input
> queue.
> 
> So I bumped this number on our quite busy firewall up from 256 
> to 1024 and later to 4096, but I still get 1'026'678 dropped 
> packets during 8 days uptime.
> 
It's far from clear to me that this is a big help.  There's a fair amount
of literature that says that too-large router queues are bad, since they
end up having many retransmissions of the same data.  I suggest that you
look at other resources -- CPU and output line rate come to mind -- and
start playing with some of the fancier queueing options on your output
link.  (I wonder -- it would be nice to be able to do RED on things like
the IP input queue.  Is that possible?)

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb