On 2008/02/13 15:21, Darren Spiteri wrote: > Now we're just getting into semantics. It is not uncommon for a > firewall to operate on layer 7, even with OpenBSD,
"firewall" means many things but note that the subject line talks about "routing firewall" and the message doesn't say anything about running as a proxy server. in general (not just on OpenBSD, this is true pretty much everywhere) you can route packets much more quickly than you can source or sink on the box itself. if you need high performance there's a strong case for running proxies on machine/s other than a routing firewall (aka packet-filtering router). > considering that an essential component of PF is ftp-proxy. net.inet.tcp.sendspace/recvspace set the maximum socket buffer size for TCP connections. they have absolutely no effect on packets which are just forwarded in the kernel. for ftp-proxy these sysctl values affect control connections, but do _not_ affect data connections which are handled in-kernel (ftp-proxy adds nat/rdr rules for these). /\ if you increase these values on a machine with many connected /__\ TCP sockets, keep an eye on kernel memory use. you also mentioned hoststated/relayd: in rdr mode (layer3) these sysctl values have no affect, but you are correct that they can affect it in relay mode (layer7). (with "forward to nat lookup" layer7 forwarding can be done transparently and becomes a lot more generally useful: note that you can adjust socket buffer size in the tcp configuration for the relay).
