From owner-freebsd-security Mon Apr 16 13: 9:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id A7C1837B43E for ; Mon, 16 Apr 2001 13:09:47 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id GAA09445; Tue, 17 Apr 2001 06:09:40 +1000 (EST) From: Darren Reed Message-Id: <200104162009.GAA09445@caligula.anu.edu.au> Subject: Re: ipfilter state tables To: rsimmons@wlcg.com (Rob Simmons) Date: Tue, 17 Apr 2001 06:09:40 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Rob Simmons" at Apr 16, 2001 03:57:57 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Rob Simmons, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > The total number of states that ipfilter can keep is goverened by these > two constants in src/sys/netinet/ip_state.h and > /usr/src/contrib/ipfilter/ip_state.h: > IPSTATE_SIZE > IPSTATE_MAX > > They are set to 5737, and 4013 which is ok for average use, but causes > problems for higher traffic firewalls. Could these two have a kernel > config file knob? This would make life easier :) I'll think about it. It would require something like this, however: ipf -D sysctl -s net.inet.ipf.fr_statesize=123456 ipf -E -f /etc/ipf.conf - you couldn't change the state table size while IPFilter was enabled. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message