Lorenz Helleis wrote:
> hello.
>
> I have a firewall with 75.000 simultaneous conections,
and i set the limit to 100.000.
>
> I think the hardware is OK, but when increase the
traffic on the network, some connections is dropped. I did
not increase other value, like table, src-nodes.... How do I
know if is everthing ok with the other values ?
>
> what happen if the number of connections touch the
limit of 100.000 ? it will drop the idle conections ? or
what ?
>
From my experience new connections will appear to timeout
as PF has no
more sessions available for new connections. As sessions die
off
organically new connections will be permitted but there is
nothing
actively killing old / idle connections to make way for new
sessions if
the limit is reached.
Depending on how much memory you have you should be fine
increasing the
max session limit. I've had some of my firewalls over
1,000,000 sessions
without a problem.
You may want to check your switch for errors and watch your
interface
(netstat -I IFACE -nd 1) to see when/where your drops are.
What kind of
cpu usage are you seeing when you start dropping the
packets?
Regards,
Chris
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
