DNS and mail servers behind a PF firewall?

[Jacques Beigbeder]

Hello,

My question is related to PF performances with large state tables.
FreeBSD : 5.5
hw.model: Intel(R) Xeon(TM) CPU 3.20GHz
hw.physmem: 2138378240 = 2 Gb

If I put a mail server
	20 SMTP hits per second (thanks to spam...)
	15 seconds per SMTP dialog
	90 seconds for PF timeout tcp.close
the state table will have:
	20 * (90 + 15) * 2 ways = 5.000 entries

Since any mail generates a few DNS queries (reverse DNS,
+ DSNRBL queries), the state table will also gets 
	2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20 (connections)
	= 12.000 entries

So I'll get around 20.000 entries, each of them have a short lifetime.

Question:
. is such a number a performance problem?
  It seems strange to constantly add and delete entries for DNS
  requests in the state table?
. or do I have to write rules to avoid all the (unnecessary??)
  entries? As far as I understand, beginning with
	pass in quick proto udp from a.b.c.d port 53 to any
	... same for TCP/25 ...
  is the trick.

Thanks,

--
Jacques Beigbeder                    |  Jacques.Beigbeder at ens.fr
Service de Prestations Informatiques |     http://www.spi.ens.fr
Ecole normale supérieure             |
45 rue d'Ulm                         |Tel : (+33 1)1 44 32 37 96
F75230 Paris cedex 05                |Fax : (+33 1)1 44 32 20 75