Does someone have some good documentation on nat table tuning?
Here is my situation, finally got my setup done.
I'm finding that when I open some P2P apps (emule, edonkey, etc).
My natting table will instantly fill with 5000+ nat mappings. And the
box will stop natting.
I found some kernel params on another mailing listed related to ipfilter
(see bottom of msg I will post them).
If 1 person can kill my out of the box firewall, I'd hate to see what
40-50 would do.
Is there a good document on tuning your nat tables/state tables kernel
parameters to make it function a lot better.
The following list I dug up from another mailing list, but it doesn't go
into great detail about the how's/why's, etc. Maybe I'm just not looking
in the right place, but all my searches (mailing list/google) have come
up empty. It seems people are running with defaults. And if that's the
case, why are the defaults falling down on my setup?
* NAT Settings
* ipf: adjust the default tcp timeouts downward so that
* idle (dead) and half closed states get killed off quicker.
set ipf:fr_tcpidletimeout = 172800
set ipf:fr_tcphalfclosed = 7200
* ipf: adjust the state table sizes so we have enough buckets.
* IPSTATE_MAX (=fr_statemax) should be ~70% of IPSTATE_SIZE
* IPSTATE_SIZE (=fr_statesize) has to be a prime number
set ipf:fr_statemax = 7000
set ipf:fr_statesize = 10009
* ipf: adjust the NAT table sizes so we have enough buckets.
* generally you have fewer than 127 rules in ipnat.conf
* so no need to waste memory for more.
set ipf:ipf_nattable_sz = 10009
set ipf:ipf_natrules_sz = 127
set ipf:ipf_rdrrules_sz = 127
