Date: Tue, 22 Apr 2003 16:03:08 +0200 From: Daniel Lang <dl@leo.org> To: Martin Stiemerling <Martin.Stiemerling@ccrle.nec.de> Cc: freebsd-net@freebsd.org Subject: Re: IPfilter changes? Message-ID: <20030422140308.GK49848@atrbg11.informatik.tu-muenchen.de> In-Reply-To: <3EA541DE.1080706@ccrle.nec.de> References: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de> <3E9E6D34.5020100@ccrle.nec.de> <20030422083532.GB49848@atrbg11.informatik.tu-muenchen.de> <3EA508EB.5020906@ccrle.nec.de> <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de> <20030422131133.GI49848@atrbg11.informatik.tu-muenchen.de> <3EA541DE.1080706@ccrle.nec.de>
index | next in thread | previous in thread | raw e-mail
Hi Martin,
Martin Stiemerling wrote on Tue, Apr 22, 2003 at 03:21:34PM +0200:
[..]
> Ah, ok, So you are running out of state table entries...
Oh well. Thats a statement I can use. :)
[..]
> That's OK, i.e. no out of memory problems within IP Filter.
>
> Would be nice to see the "State table bucket statistics" output from the
> end of ipfstat -s.
The buckets and active states kept changing, around 1500-4000+.
I talked to our netadmin, who told me, that this could be the problem.
In my ruleset I seems to carry _lots_ of unnecessary state information
around. I changed this to keep state only for outgoing connection
and flags S/SA set.
I will see, how it behaves.
Thanks a lot so far.
Daniel
--
IRCnet: Mr-Spock - Agartim billiard bumba m'abdul in papejim twista
- rumba rock n rolla. Leik'ab mai. Spirzon Heroin se'osit gaula. -
- Marijuana esit gaula. Haschisch. Opis. -
Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030422140308.GK49848>