On Mon, 2002-11-18 at 13:43, Mike Frantzen wrote: > > I took a moment to peruse the pfctl.c code for the tcp settings for each > > of the various optimization topographies (normal, aggressive, etc.). Do > > these attempt to set any of the udp or icmp timeout settings (first, > > single, multiple, error)? I can't find anything in the pf.conf manpage > > or source to suggest they do. > > Nope. I didn't have enough real world data to calculate optimal > timeouts. A university (can't remember if I'm allowed to name them or > not so I won't) gave me 20-30 gigs of captured TCP headers to help > optimize our TCP state code. > > Optimizing the state timeouts for UDP is much more complex. With TCP, > the dynamics are determined by the links and the OSes involved. TCP > lends itself well to applying the same timeouts to every rule. But with > UDP, the type of application is far more important. Ie, the timeout > information for DNS would be totally different from TFTP or NFS. UDP > really need per-port timeouts set by the optimization level. I can't > think of an easy way to apply that in PF outside of using the > optimization level to create pre-defined timeout macros which the user > can add to the UDP rules. > > I could probabley hack up a little PCAP utility to profile your UDP > traffic and let it calculate a distribution of timeouts. But I have > very little free hacking time and I'm not sure there is enough demand.
That's ok, I'm just trying to absorb as much information about PF as I can. No stone left unturned, don'tcha know. :) Thanks, J.
