Date: Mon, 20 Jan 2003 04:22:29 +0300 (MSK) From: "."@babolo.ru To: Matt Douhan <mdouhan@fruitsalad.org> Cc: freebsd-net@freebsd.org Subject: Re: ipfilter/ipnat problems Message-ID: <1043025749.163878.39493.nullmailer@cicuta.babolo.ru> In-Reply-To: <200301191602.13233.mdouhan@fruitsalad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am hoping this is the right forum for my question > > I am running 4.7-STABLE as of 18th Jan 2003, usinf ipf/ipnat for firewall, > during normal loads (ipnat -l showing about 1000 connections) everything > works fine, but during higher loads ipnat -l showing over 3000 conns, the > firewalls get into a state where they drop connections, and users fall off > IRC, web pages gets connection refused messages and mailservers start to have > timeout problems. > > I have recompiled the kernel with LARGE_NAT defined that did not help, I have > changed the values in ip_state.h as per darrens suggestions on the web, this > does not help, I have changed tcp idle timers using sysctl to try and tear > down connections faster but none of this helps. > > Anyone have any ideas? I use ipfw and a lot of natd daemons: 0sw~(3)>ps -axww | grep nat 917 ?? Is 14:22,03 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.100.pid -a X.Y.70.127 -i 100 -o 101 -d 919 ?? Ss 17:55,51 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.102.pid -a X.Y.69.127 -i 102 -o 103 -d 921 ?? Ss 27:40,81 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.104.pid -a X.Y.70.192 -i 104 -o 105 -d 923 ?? Ss 48:48,86 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.106.pid -a X.Y.71.127 -i 106 -o 107 -d 925 ?? Ss 9:24,32 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.108.pid -a X.Y.71.192 -i 108 -o 109 -d 927 ?? Ss 11:59,76 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.110.pid -a X.Y.71.63 -i 110 -o 111 -d 929 ?? Is 0:00,64 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.114.pid -a X.Y.70.191 -i 114 -o 115 -d 931 ?? Is 0:00,08 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.200.pid -a X.Y.71.128 -i 200 -o 201 -d 933 ?? Is 1:28,27 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.98.pid -a X.Y.69.192 -i 98 -o 99 -d to share load and IPs. But it need patch http://free.babolo.ru/patch/src.sbin.natd.patch for -P flag. May be I filled PR for this feature sometime ago... .. found: bin/37159 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1043025749.163878.39493.nullmailer>