[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Keep State troubles.
From:       Camiel Dobbelaar <dobbe () xs4all ! nl>
Date:       2000-09-27 17:51:09
[Download RAW message or body]



On Wed, 27 Sep 2000, Dave Hartnell wrote:
> I managed to recompile a new kernel with altered values for the IPSTATE_MAX
> & IPSIZE_MAX i also dropped the timeout values in for a few things so that
> it would clear any dead states more quickly.

What values did you pick? Your stats look worrisome:

>         667 bkts in use
>         16964 active

This means that there are (16964 / 667) 25 states in each bucket. Buckets
have to be searched linearly to find the matching state. This affects
performance. IPfilter's hashing algorithm is not that sophisticated
(actually it's very easy for an attacker to get states hashed to the same 
bucket), but these numbers are bad.

Are you sure you picked a prime number for IPSTATE_SIZE?

> We are on a 10megabit half duplex link to the internet and the internel side
> of the firewall is running at 100megs our monthly traffic usage usually
> shows us sitting at around 2-6megs a second as an average load.. and we move
> around 100gigs worth of data a month.. are these numbers i'm seeing normal
> or unreasonable..  Can ipfilter handle this type of load? the server is a
> P3-667, 512megs ram, Intel10/100 Managment nics and its only running
> IPfilter and bridgeing.

Why not judge yourself if it can handle the load? BTW. the system will
probably work just as fine with 64MB ram.

--
Cam

[prev in list] [next in list] [prev in thread] [next in thread]