From owner-freebsd-net Sun Jan 19 7: 2:51 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7CA937B405 for ; Sun, 19 Jan 2003 07:02:49 -0800 (PST) Received: from mandarin.fruitsalad.org (pc117.net160.koping.net [81.16.160.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3AB043ED8 for ; Sun, 19 Jan 2003 07:02:43 -0800 (PST) (envelope-from mdouhan@fruitsalad.org) Received: from [192.168.15.240] (helo=192.168.15.240) by mandarin.fruitsalad.org with esmtp (Exim 4.10) id 18aGy2-000Ju3-00 for freebsd-net@freebsd.org; Sun, 19 Jan 2003 16:02:34 +0100 From: Matt Douhan To: freebsd-net@freebsd.org Subject: ipfilter/ipnat problems Date: Sun, 19 Jan 2003 16:02:05 +0000 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200301191602.13233.mdouhan@fruitsalad.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi I am hoping this is the right forum for my question I am running 4.7-STABLE as of 18th Jan 2003, usinf ipf/ipnat for firewall, during normal loads (ipnat -l showing about 1000 connections) everything works fine, but during higher loads ipnat -l showing over 3000 conns, the firewalls get into a state where they drop connections, and users fall off IRC, web pages gets connection refused messages and mailservers start to have timeout problems. I have recompiled the kernel with LARGE_NAT defined that did not help, I have changed the values in ip_state.h as per darrens suggestions on the web, this does not help, I have changed tcp idle timers using sysctl to try and tear down connections faster but none of this helps. Anyone have any ideas? Please reply direct to my email as I am not subscribed to this list normally - -- - ------------------------------------------------------------------------------------ Matt Douhan www.fruitsalad.org CCIE #4004 *** ping elvis *** *** elvis is alive *** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+KswCkU5PITZniCURAp41AKCGJyI5m96HmaNeYqvWsFgE0m9eRwCeLBdA GIhv55njFeqXmSNmhAftOoU= =EeQ6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message