In some email I received from Ken Diliberto, sie wrote: [...] > Our firewall machine is fairly beefy. It's a 2.2 GHz Xeon with dual GigE > cards, 2GB RAM and a caching disk controller. Is it too much? We'd like > it to be. What we don't want is for it to be not enough. I think we have > it configured to handle 500,000 state table entries (max). The OpenBSD > folks aren't much help, either. Will that be enough? We won't know until > it goes live. [...]
If you are seriously thinking of running a firewall that you expect to have 10s or 100s of thousands of concurrent sessions then I would have to recommend you test with the latest 4.0alpha. That it's termed alpha is not a reflection of the buginess, but rather there are a few features (new) that I've not completely rounded out. Why do I suggest that? The algorithm used for expiring connections in 3.x is not geared towards dealing with numbers of this magnitude as it will visit every state table entry every half second. 4.0 uses a better algorithm and only vists those it needs to. The last 'snapshot' I uploaded is: http://coombs.anu.edu.au/~avalon/ipf40a22.tgz Darren
