Date: Mon, 26 Feb 2007 19:18:52 +0100 From: Jacques Beigbeder <Jacques.Beigbeder@ens.fr> To: freebsd-questions@freebsd.org Subject: DNS and mail servers behind a PF firewall? Message-ID: <20070226181852.GA853@trefle.ens.fr>
next in thread | raw e-mail | index | archive | help
Hello, My question is related to PF performances with large state tables. FreeBSD : 5.5 hw.model: Intel(R) Xeon(TM) CPU 3.20GHz hw.physmem: 2138378240 = 2 Gb If I put a mail server 20 SMTP hits per second (thanks to spam...) 15 seconds per SMTP dialog 90 seconds for PF timeout tcp.close the state table will have: 20 * (90 + 15) * 2 ways = 5.000 entries Since any mail generates a few DNS queries (reverse DNS, + DSNRBL queries), the state table will also gets 2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20 (connections) = 12.000 entries So I'll get around 20.000 entries, each of them have a short lifetime. Question: . is such a number a performance problem? It seems strange to constantly add and delete entries for DNS requests in the state table? . or do I have to write rules to avoid all the (unnecessary??) entries? As far as I understand, beginning with pass in quick proto udp from a.b.c.d port 53 to any ... same for TCP/25 ... is the trick. Thanks, -- Jacques Beigbeder | Jacques.Beigbeder@ens.fr Service de Prestations Informatiques | http://www.spi.ens.fr Ecole normale supérieure | 45 rue d'Ulm |Tel : (+33 1)1 44 32 37 96 F75230 Paris cedex 05 |Fax : (+33 1)1 44 32 20 75
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070226181852.GA853>