My followup mail was just about bufcachepercent. Auto-sizing socket buffers is pointless on a firewall. Even if it were useful, if you are running into resource starvation you want to *DECREASE* resource use not increase it.
"aggressive" sets tcp.first to 30s. 2M SYNs per second * 30s = 60M states; Roger said that 5M states is too much for the box. On 2012/02/22 13:11, Hassan Monfared wrote: > 1- auto-sizing in obsd5.0 is for tcp not udp. > 2- I think setting option to aggressive will help. > > > On 2/22/12, Stuart Henderson <[email protected]> wrote: > > On 2012-02-22, Stuart Henderson <[email protected]> wrote: > >> On 2012-02-21, Hassan Monfared <[email protected]> wrote: > >>> Hi, > >>> have you tried to set some tuning options in pf.conf & sysctl.conf ? > >>> eg: > >>> for sysctl.conf: > >>> net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length > >>> (256*number of physical interfaces) > >>> kern.bufcachepercent=90 # Allow the kernel to use up to 90% of the > >>> RAM for cache (default 10%) > >>> net.inet.udp.recvspace=131072 # Increase based on your memory > >>> net.inet.udp.sendspace=131072 # Increase based on your memory > >>> ddb.panic=0 # do not enter ddb console on kernel > >>> panic, > >>> reboot if possible , this reduces headache > >> > >> These have nothing to do with state overflow > > > >> (except raising bufcachepercent will leave less space for states..) > > > > it was pointed out offlist that this may be incorrect, the theory is > > that it should shrink when you need the space; that said it won't help > > anyway and if for some reason it doesn't shrink you'll have problems.
