On 2007/10/04 17:48, Florin Andrei wrote: > All firewall rules are written as stateless as possible - I don't need > stateful filtering, the setup is very simple (allow HTTP inbound, allow a > few ICMP types, and that's it).
You might want to re-think this, stateless rulesets are usually slower. This is interesting: http://www.undeadly.org/cgi?action=article&sid=20060927091645 > congestion 116169 197.2/s Try setting net.inet.ip.ifq.maxlen to 256 (sysctl/sysctl.conf), if you still see the congestion count increasing then search for net.inet.ip.ifq.maxlen in the list archives and have a read.