On 2/26/07, Jacques Beigbeder <[EMAIL PROTECTED]> wrote:
My question is related to PF performances with large state tables.
FreeBSD : 5.5
hw.model: Intel(R) Xeon(TM) CPU 3.20GHz
hw.physmem: 2138378240 = 2 Gb
If I put a mail server
20 SMTP hits per second (thanks to spam...)
15 seconds per SMTP dialog
90 seconds for PF timeout tcp.close
the state table will have:
20 * (90 + 15) * 2 ways = 5.000 entries
Since any mail generates a few DNS queries (reverse DNS,
+ DSNRBL queries), the state table will also gets
2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20
= 12.000 entries
So I'll get around 20.000 entries, each of them have a short lifetime.
. is such a number a performance problem?
It seems strange to constantly add and delete entries for DNS
requests in the state table?
. or do I have to write rules to avoid all the (unnecessary??)
entries? As far as I understand, beginning with
pass in quick proto udp from a.b.c.d port 53 to any
... same for TCP/25 ...
is the trick.
Yes, keeping state on DNS traffic is quite expensive ;) This is
mentioned in the series of 3 artilcles by the architect of pf, Daniel
Hartmeier, at undeadly.org
Try if just passing quick port 53 traffic without keeping state has a
measurable postive impact.
Or you could install a small not resource hungry caching nameserver
like Bernstein's dnscache, which will save a lot of DNS and RBL
Most of the time however, perl based virus scanning is the cause of
less than expected performance of a mail server.
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"