Steve D. wrote:
Hi,
I'm setting up a gateway (1.7 Ghz machine with 1 Gig of ram) for 700+
users using pf with NAT and BINAT's (90% NAT). I would like to know
if anyone has any recommendations on tweaking the runtime options in
PF. This box will pretty much just be handling the natting with a bare
minimum of filtering, just enough to keep the box secure.
Yes:
DON'T TOUCH ANYTHING UNTIL YOU KNOW WHAT THE GOAL IS.
Apparently, there are some OSs people are used to that ship in a nearly
useless state, at least judging by the queries like this. With OpenBSD,
you aren't supposed to have to tweak things..it should Just Work.
See if you run into a problem. Don't start twisting knobs until you see
if there is a reason to do so, and until you know what the desired
outcome is. The defaults are set pretty darned well to start with --
you are much more likely to break something by "tweaking" than you are
to improve anything.
For comparison: we have ~850 people, hiding behind a CARP'd pair of
machines -- primary is a Celeron 600, 384M RAM. Failover box is a
PIII-750, 512M RAM, in an otherwise identical box. Hooked to a 45Mbps
DS3. We aren't exercising the system much at this point (neither the
box nor the DS3). I suspect some day, we'll start seeing some limits
hit on this thing, we'll worry about it then...assuming these boxes
haven't died of old age by the time that happens. :)
Nick.
