From owner-freebsd-performance@FreeBSD.ORG  Mon May  5 10:35:16 2003
Return-Path: <owner-freebsd-performance@FreeBSD.ORG>
Delivered-To: freebsd-performance@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CE96237B401
	for <freebsd-performance@freebsd.org>;
	Mon,  5 May 2003 10:35:16 -0700 (PDT)
Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0543B43F3F
	for <freebsd-performance@freebsd.org>;
	Mon,  5 May 2003 10:35:16 -0700 (PDT)
	(envelope-from anderson@centtech.com)
Received: from centtech.com (electron.centtech.com [204.177.173.173])
	by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h45HZC56006867;
	Mon, 5 May 2003 12:35:12 -0500 (CDT)
	(envelope-from anderson@centtech.com)
Message-ID: <3EB6A0BF.1040803@centtech.com>
Date: Mon, 05 May 2003 12:34:55 -0500
From: Eric Anderson <anderson@centtech.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US;
	rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Clement Laforet <sheep.killer@cultdeadsheep.org>
References: <3EB67822.3070802@centtech.com>
	<20030505182756.093fb1c3.sheep.killer@cultdeadsheep.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-performance@freebsd.org
Subject: Re: NAT performance tweaks
X-BeenThere: freebsd-performance@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Performance/tuning <freebsd-performance.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-performance>
List-Post: <mailto:freebsd-performance@freebsd.org>
List-Help: <mailto:freebsd-performance-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-performance>,
	<mailto:freebsd-performance-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2003 17:35:17 -0000

Clement Laforet wrote:
> On Mon, 05 May 2003 09:41:38 -0500
> Eric Anderson <anderson@centtech.com> wrote:
> 
> 
>>Does anyone have any tweaks they apply to NAT firewalls that pass a
>>lot of connections through them?  Here's the ony tweak I have in place
>>already, but I'm not sure they're needed yet (or if there are any
>>tweaks needed at all):
> 
> 
> which NAT solution do you use ?

IPNAT and ipfilter..

>>sysctl kern.ipc.somaxconn=8192
> 
> 
> NAT'ing (except for natd which uses IPDIVERT (but not more than 3))
> doesn't use socket to translate packets.
> Generally, packets are tagged by firewall control software and
> translated within the IP stack (at leat in kernel land).

Oh yea, that's right.. So can you think of any kernel or other tweaks to 
be done, to ensure optimal usage of the machine in this environment? 
What about mail coming in/out of the machine? I do a fair amount of mail 
through it (out through NAT, in through Sendmail) also..

Eric


--
------------------------------------------------------------------
Eric Anderson	   Systems Administrator      Centaur Technology
Attitudes are contagious, is yours worth catching?
------------------------------------------------------------------