From owner-freebsd-net@FreeBSD.ORG Tue Apr 22 07:03:14 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 337E337B401 for ; Tue, 22 Apr 2003 07:03:14 -0700 (PDT) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E21F44001 for ; Tue, 22 Apr 2003 07:03:10 -0700 (PDT) (envelope-from langd@informatik.tu-muenchen.de) Received: from mailrelay1.informatik.tu-muenchen.de (mailrelay1.informatik.tu-muenchen.de [131.159.254.5]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id 660B66208; Tue, 22 Apr 2003 16:03:09 +0200 (MEST) Received: from atrbg11.informatik.tu-muenchen.de (atrbg11.informatik.tu-muenchen.de [131.159.42.129]) by mailrelay1.informatik.tu-muenchen.de (Postfix) with ESMTP id 497197943; Tue, 22 Apr 2003 16:03:09 +0200 (MEST) Received: by atrbg11.informatik.tu-muenchen.de (Postfix, from userid 20455) id CB7D413B5D; Tue, 22 Apr 2003 16:03:08 +0200 (CEST) Date: Tue, 22 Apr 2003 16:03:08 +0200 From: Daniel Lang To: Martin Stiemerling Message-ID: <20030422140308.GK49848@atrbg11.informatik.tu-muenchen.de> References: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de> <3E9E6D34.5020100@ccrle.nec.de> <20030422083532.GB49848@atrbg11.informatik.tu-muenchen.de> <3EA508EB.5020906@ccrle.nec.de> <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de> <20030422131133.GI49848@atrbg11.informatik.tu-muenchen.de> <3EA541DE.1080706@ccrle.nec.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3EA541DE.1080706@ccrle.nec.de> X-Geek: GCS/CC d-- s: a- C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w--- O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++ D++ G++ e+++ h---(-) r++>+++ y+ User-Agent: Mutt/1.5.1i cc: freebsd-net@freebsd.org Subject: Re: IPfilter changes? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 14:03:14 -0000 Hi Martin, Martin Stiemerling wrote on Tue, Apr 22, 2003 at 03:21:34PM +0200: [..] > Ah, ok, So you are running out of state table entries... Oh well. Thats a statement I can use. :) [..] > That's OK, i.e. no out of memory problems within IP Filter. > > Would be nice to see the "State table bucket statistics" output from the > end of ipfstat -s. The buckets and active states kept changing, around 1500-4000+. I talked to our netadmin, who told me, that this could be the problem. In my ruleset I seems to carry _lots_ of unnecessary state information around. I changed this to keep state only for outgoing connection and flags S/SA set. I will see, how it behaves. Thanks a lot so far. Daniel -- IRCnet: Mr-Spock - Agartim billiard bumba m'abdul in papejim twista - rumba rock n rolla. Leik'ab mai. Spirzon Heroin se'osit gaula. - - Marijuana esit gaula. Haschisch. Opis. - Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/