Hi everyone, I have a question about running ipfilter on a large Sunfire 15k domain. We currently run it on all our smaller servers, and even a (relatively) smaller 15k domain and we're pleased with its performance. However, we have some concerns about putting it on our largest Solaris 8 15k domain.
Specifically, the domain tends to have anywhere from 6000-12000 simultaneous established TCP connections and is allocated 96 GB of RAM. Many of these connections tend to remain established throughout the day. With stateful inspection in ipfilter, are we likely to run into any performance problems or memory issues? Unfortunately, we don't have a test machine of this size, or usage pattern, to test this on prior to implementation. The second question I have is in regards to the size of the state table. The FAQ Question # III.25: "How do I enlarge the state table? What else should be tweaked for high-stress installs?" recommends modifying the #defines IPSTATE_SIZE and IPSTATE_MAX to enlarge the state table. Will I need to do this, and secondly, what is a reasonable value to change them to? Thanks for any help and suggestions, Pat Zurek Univ. of Illinois
