From owner-freebsd-net Sun Jan 19 17:21:14 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC17237B401 for ; Sun, 19 Jan 2003 17:21:12 -0800 (PST) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33B4243ED8 for ; Sun, 19 Jan 2003 17:21:11 -0800 (PST) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 72866 invoked from network); 20 Jan 2003 01:35:04 -0000 Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160) by ints.mail.pike.ru with SMTP; 20 Jan 2003 01:35:04 -0000 Received: (nullmailer pid 39494 invoked by uid 136); Mon, 20 Jan 2003 01:22:29 -0000 Subject: Re: ipfilter/ipnat problems X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <200301191602.13233.mdouhan@fruitsalad.org> To: Matt Douhan Date: Mon, 20 Jan 2003 04:22:29 +0300 (MSK) From: "."@babolo.ru Cc: freebsd-net@freebsd.org X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1043025749.163878.39493.nullmailer@cicuta.babolo.ru> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I am hoping this is the right forum for my question > > I am running 4.7-STABLE as of 18th Jan 2003, usinf ipf/ipnat for firewall, > during normal loads (ipnat -l showing about 1000 connections) everything > works fine, but during higher loads ipnat -l showing over 3000 conns, the > firewalls get into a state where they drop connections, and users fall off > IRC, web pages gets connection refused messages and mailservers start to have > timeout problems. > > I have recompiled the kernel with LARGE_NAT defined that did not help, I have > changed the values in ip_state.h as per darrens suggestions on the web, this > does not help, I have changed tcp idle timers using sysctl to try and tear > down connections faster but none of this helps. > > Anyone have any ideas? I use ipfw and a lot of natd daemons: 0sw~(3)>ps -axww | grep nat 917 ?? Is 14:22,03 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.100.pid -a X.Y.70.127 -i 100 -o 101 -d 919 ?? Ss 17:55,51 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.102.pid -a X.Y.69.127 -i 102 -o 103 -d 921 ?? Ss 27:40,81 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.104.pid -a X.Y.70.192 -i 104 -o 105 -d 923 ?? Ss 48:48,86 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.106.pid -a X.Y.71.127 -i 106 -o 107 -d 925 ?? Ss 9:24,32 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.108.pid -a X.Y.71.192 -i 108 -o 109 -d 927 ?? Ss 11:59,76 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.110.pid -a X.Y.71.63 -i 110 -o 111 -d 929 ?? Is 0:00,64 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.114.pid -a X.Y.70.191 -i 114 -o 115 -d 931 ?? Is 0:00,08 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.200.pid -a X.Y.71.128 -i 200 -o 201 -d 933 ?? Is 1:28,27 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.98.pid -a X.Y.69.192 -i 98 -o 99 -d to share load and IPs. But it need patch http://free.babolo.ru/patch/src.sbin.natd.patch for -P flag. May be I filled PR for this feature sometime ago... .. found: bin/37159 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message