Beers, James W. wrote: > Based on the output listed below, I am wondering if the 'maximum' number > of states in the ipfstat -s output and the calls to the protocol drains > are stats that I need to worry about or if they occur 'normally' during > the course of operation.
I don't know what 'netstat -m' 'calls to protocol drain routines' mean. I wouldn't be too worried about it unless you notice problems and/or the number grows a lot (19 of anything is quite a little). On the other hand I know that non-zero (and rising in time) maximum in 'ipfstat -s' is a sign of problems. I had a machine acting as a router with lots of states held at any given moment. We had from time to time 'mysterious' network problems. The tuning of IPF I describe below got us rid of them. -- There are some hardcoded limits in IPF which limit the number of dynamic entries in some tables. I had to enlarge the number of simultaneous nat and state entries. In src/sys/contrib/ipfilter/netinet/ip_nat.h you want to '#define LARGE_NAT' (you can add the line at line 41). In src/sys/contrib/ipfilter/netinet/ip_state.h there are default limits for IPSTATE_SIZE and IPSTATE_MAX. It seems that the output of 'ipfstat -s' show you have already enlarged the values (?). If I read the source code of IPF correctly, reaching the limit has quite terrible consequences and you probably don't want to ever reach it. Based on your 'active' you can probably set it to 80989 and 115727 respectively. Enlarging the limits means a little (for todays machines) memory overhead. If you have at least 256MB of RAM you needn't to worry about that I think. Darren, unless I am mistaken the defaults are quite low for todays machines and network speeds. What about increasing them a bit? Regards Michal > The firewall that generated these stats protects our student residence > network and has approximately 1000 computer behind it. > > Any feedback that you can provide is greatly appreciated. > > OS > -- > 6.0-RELEASE FreeBSD 6.0-RELEASE #3 > > The firewall is Dell 850 with a P4 2.8GHz and 2.0 GB of RAM. There are > 2 on-board gig ethernet ports. > > netstat -m > 515/385/900 mbufs in use (current/cache/total) > 514/256/770/25600 mbuf clusters in use (current/cache/total/max) > 0/8/6656 sfbufs in use (current/peak/max) > 1156K/608K/1765K bytes allocated to network (current/cache/total) > 0 requests for sfbufs denied > 0 requests for sfbufs delayed > 0 requests for I/O initiated by sendfile > 19 calls to protocol drain routines > > > IPFILTER > -------- > ipf: IP Filter: v4.1.8 (416) > Kernel: IP Filter: v4.1.8 > Running: yes > Log Flags: 0 = none set > Default: block all, Logging: available > Active list: 0 > Feature mask: 0x10a > > ADDTN'L IPFILTER INFO > --------------------- > There are 158 rules defined in the rule set, utilizing groups. > > Ipfstat -s > IP states added: > 28434102 TCP > 49787604 UDP > 48144 ICMP > 2084963038 hits > 138975232 misses > 77 maximum > 0 no memory > 0 max bucket > 77 maximum > 0 no memory > 40498 bkts in use > 61840 active > 0 expired > 109862 closed > State logging enabled > > State table bucket statistics: > 40498 in use > 38.67% bucket usage > 0 minimal length > 10 maximal length > 1.527 average length > > > The number of inuse NATs varies between 30k and 80k. > Ipnat -s > mapped in 500705856 out 591083545 > added 65964408 expired 0 > no memory 0 bad nat 0 > inuse 58465 > rules 80 > wilds 0 > > > -jwb > > ---------------------- > Jim Beers > CIT > Moravian College
