Date: Thu, 06 Sep 2001 12:36:04 +0200 From: Mathieu Arnold <arn_mat@club-internet.fr> To: Robert Moss <rmoss@bigpond.net.au> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfilter Message-ID: <3B975194.541A6228@club-internet.fr> References: <5.0.2.1.0.20010903183401.01fc43d8@localhost> <5.0.2.1.0.20010906194756.02078a68@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Moss wrote: > > Mathieu, > I suggest putting only these entries in your kernel config file, and > rebuild: > > options IPFILTER > options IPFILTER_LOG > > Leave out any other IPFIREWALL options as that is for a completely > different firewall package, and is not compatible with IPFilter. > > I have attatched my kernel config file. > > When you rebuild the kernel, make sure you remove the old build > dir /usr/src/sys/compile/machinename > > And go about the normal kernel config from there # uname -a FreeBSD mano.absolight.com 4.3-RELEASE-p15 FreeBSD 4.3-RELEASE-p15 #0: Sun Sep 2 18:01:08 CEST 2001 root@mano.absolight.com:/usr/src/sys/compile/FW i386 I don't have any IPFIREWALL things in my config : # grep IP FW options IPSEC options IPSEC_ESP options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options IPSTEALTH and I've been using freebsd long enough as a workstation to know how these things work :) I'm Just trying to use ipfilter on it as a firewall trafic ~ 2MB/s a /24 behind 600 ipf rules, with tcp using flags S/SA keep state keep frag 2 fxp cards it's a pIII 650 with 256M of ram and to prevent ipfilter to have "no memory" happens, I have an ipf -Fs croned every 5 minutes... > At 08:49 PM 5/09/2001 +0200, you wrote: > >Robert Moss wrote: > > > > > > Hi, i think this problem relates to the amount of buckets in the NAT/FILTER > > > hash table rather than physical memory. > > > > > > How many rules do you have, and how many connections are going through the > > > server? I imagine a lot ;) > > > > > > I think there are a few other places where you have to modify the NAT/state > > > table sizes, im running from memory here (about 1 year ago). > > > > > > Looks like you have done it right (from below text). Have you made sure to > > > recompile (correctly) and reinstall the kernel object? > > > >yes, pretty sure, as ipfilter is compiled in the kernel and not as > >module. > > > > > Also, check in ipnat -l how many NAT connections you have. > > > >well, 0 I guess as I don't do nat. > > > > > With the information here, im not sure what else to suggest. > > > > > > What version of IPFilter? > > > What number of rules do you have > > > ipnat -l | wc -l > > > cat /etc/ipnat.conf | wc -l > > > >the version which comes with 4.3-RELEASE. > >and I don't do nat, but ipfstat -io|wc -l should be between 400 and 600. > > > > > When you installed the new module, how did you do that? > > > >well, in the kernel, and reboot. > > > > > Cheers > > > rob. > > > > > > At 07:07 PM 30/08/2001 +0200, you wrote: > > > >Hi > > > > > > > >I'm having some problems with ipfilter : > > > ># ipfstat -s > > > >IP states added: > > > > 4572145 TCP > > > > 573649 UDP > > > > 463188 ICMP > > > > 1165608186 hits > > > > 34257625 misses > > > > 0 maximum > > > > 1546129 no memory > > > > 8208 bkts in use > > > > 22215 active > > > > 959216 expired > > > > 3081422 closed > > > ># uptime > > > > 6:10PM up 1 day, 7:24, 2 users, load averages: 0.08, 0.12, 0.27 > > > ># uname -r > > > >4.3-RELEASE-p14 > > > > > > > >as you can see, the no memory should stay at 0, but here, it's far from > > > >good. > > > >do you have some ideas... > > > >btw, here are some things i've modified... > > > >in /usr/src/sys/netinet/ip_state.c : > > > >#define FIVE_DAYS (2*2*3600) /* 5 days: half closed session > > > >*/ > > > > > > > >in /usr/src/sys/netinet/ip_state.h : > > > >#define IPSTATE_SIZE 1613321 > > > >#define IPSTATE_MAX 1048576 /* Maximum number of states held */ > > > > > > > >any clue ? > > > > > > > >-- > > > >Mathieu Arnold > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > > >with "unsubscribe freebsd-questions" in the body of the message > > > >-- > >Mathieu Arnold > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > ------------------------------------------------------------------------ > > kernel.confName: kernel.conf > Type: Plain Text (text/plain) -- Mathieu Arnold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B975194.541A6228>