Date: Tue, 17 Apr 2001 06:09:40 +1000 (Australia/ACT) From: Darren Reed <avalon@coombs.anu.edu.au> To: rsimmons@wlcg.com (Rob Simmons) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfilter state tables Message-ID: <200104162009.GAA09445@caligula.anu.edu.au> In-Reply-To: <Pine.BSF.4.33.0104161551110.55162-100000@mail.wlcg.com> from "Rob Simmons" at Apr 16, 2001 03:57:57 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Rob Simmons, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > The total number of states that ipfilter can keep is goverened by these > two constants in src/sys/netinet/ip_state.h and > /usr/src/contrib/ipfilter/ip_state.h: > IPSTATE_SIZE > IPSTATE_MAX > > They are set to 5737, and 4013 which is ok for average use, but causes > problems for higher traffic firewalls. Could these two have a kernel > config file knob? This would make life easier :) I'll think about it. It would require something like this, however: ipf -D sysctl -s net.inet.ipf.fr_statesize=123456 ipf -E -f /etc/ipf.conf - you couldn't change the state table size while IPFilter was enabled. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104162009.GAA09445>