Date: Thu, 06 Sep 2001 19:51:20 +1000 From: Robert Moss <rmoss@bigpond.net.au> To: Mathieu Arnold <arn_mat@club-internet.fr> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfilter Message-ID: <5.0.2.1.0.20010906194756.02078a68@localhost> In-Reply-To: <3B9673B7.6BFED57C@club-internet.fr> References: <5.0.2.1.0.20010903183401.01fc43d8@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
--=====================_343546593==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
Mathieu,
I suggest putting only these entries in your kernel config file, and
rebuild:
options IPFILTER
options IPFILTER_LOG
Leave out any other IPFIREWALL options as that is for a completely
different firewall package, and is not compatible with IPFilter.
I have attatched my kernel config file.
When you rebuild the kernel, make sure you remove the old build
dir /usr/src/sys/compile/machinename
And go about the normal kernel config from there
rob.
At 08:49 PM 5/09/2001 +0200, you wrote:
>Robert Moss wrote:
> >
> > Hi, i think this problem relates to the amount of buckets in the NAT/FILTER
> > hash table rather than physical memory.
> >
> > How many rules do you have, and how many connections are going through the
> > server? I imagine a lot ;)
> >
> > I think there are a few other places where you have to modify the NAT/state
> > table sizes, im running from memory here (about 1 year ago).
> >
> > Looks like you have done it right (from below text). Have you made sure to
> > recompile (correctly) and reinstall the kernel object?
>
>yes, pretty sure, as ipfilter is compiled in the kernel and not as
>module.
>
> > Also, check in ipnat -l how many NAT connections you have.
>
>well, 0 I guess as I don't do nat.
>
> > With the information here, im not sure what else to suggest.
> >
> > What version of IPFilter?
> > What number of rules do you have
> > ipnat -l | wc -l
> > cat /etc/ipnat.conf | wc -l
>
>the version which comes with 4.3-RELEASE.
>and I don't do nat, but ipfstat -io|wc -l should be between 400 and 600.
>
> > When you installed the new module, how did you do that?
>
>well, in the kernel, and reboot.
>
> > Cheers
> > rob.
> >
> > At 07:07 PM 30/08/2001 +0200, you wrote:
> > >Hi
> > >
> > >I'm having some problems with ipfilter :
> > ># ipfstat -s
> > >IP states added:
> > > 4572145 TCP
> > > 573649 UDP
> > > 463188 ICMP
> > > 1165608186 hits
> > > 34257625 misses
> > > 0 maximum
> > > 1546129 no memory
> > > 8208 bkts in use
> > > 22215 active
> > > 959216 expired
> > > 3081422 closed
> > ># uptime
> > > 6:10PM up 1 day, 7:24, 2 users, load averages: 0.08, 0.12, 0.27
> > ># uname -r
> > >4.3-RELEASE-p14
> > >
> > >as you can see, the no memory should stay at 0, but here, it's far from
> > >good.
> > >do you have some ideas...
> > >btw, here are some things i've modified...
> > >in /usr/src/sys/netinet/ip_state.c :
> > >#define FIVE_DAYS (2*2*3600) /* 5 days: half closed session
> > >*/
> > >
> > >in /usr/src/sys/netinet/ip_state.h :
> > >#define IPSTATE_SIZE 1613321
> > >#define IPSTATE_MAX 1048576 /* Maximum number of states held */
> > >
> > >any clue ?
> > >
> > >--
> > >Mathieu Arnold
> > >
> > >To Unsubscribe: send mail to majordomo@FreeBSD.org
> > >with "unsubscribe freebsd-questions" in the body of the message
>
>--
>Mathieu Arnold
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
--=====================_343546593==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="kernel.conf"
machine i386
cpu I686_CPU
ident "zero.lan"
maxusers 32
makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options SOFTUPDATES #Enable FFS soft updates support
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, NFS required
options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
device isa
device pci
device fdc
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID #Static device numbering
device atkbdc 1 # At keyboard controller
device atkbd # at keyboard
device psm # psm mouse
device vga # VGA screen
device splash
device sc 1
device npx
device sio # 8250, 16[45]50 based serial ports
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device rl # RealTek 8129/8139
device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
device random # Entropy device
device loop # Network loopback
device ether # Ethernet support
device ppp 1 # Kernel PPP
device pty # Pseudo-ttys (telnet etc)
device bpf 4 # Berkeley packet filter
options IPFILTER
options IPFILTER_LOG
--=====================_343546593==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
--=====================_343546593==_--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.0.20010906194756.02078a68>