Dropped Packets
Chris Marlatt
cmarlatt at rxsec.com
Fri Mar 7 15:52:58 UTC 2008
Lorenz Helleis wrote:
> hello.
>
> I have a firewall with 75.000 simultaneous conections, and i set the limit to 100.000.
>
> I think the hardware is OK, but when increase the traffic on the network, some connections is dropped. I did not increase other value, like table, src-nodes.... How do I know if is everthing ok with the other values ?
>
> what happen if the number of connections touch the limit of 100.000 ? it will drop the idle conections ? or what ?
>
From my experience new connections will appear to timeout as PF has no
more sessions available for new connections. As sessions die off
organically new connections will be permitted but there is nothing
actively killing old / idle connections to make way for new sessions if
the limit is reached.
Depending on how much memory you have you should be fine increasing the
max session limit. I've had some of my firewalls over 1,000,000 sessions
without a problem.
You may want to check your switch for errors and watch your interface
(netstat -I IFACE -nd 1) to see when/where your drops are. What kind of
cpu usage are you seeing when you start dropping the packets?
Regards,
Chris
More information about the freebsd-pf
mailing list