Hello, You should change the IPSTATE_SIZE and IPSTATE_MAX defines in ip_state.h and recompile the IPF.
Default values are defined in netinet/ip_state.h. | IPSTATE_MAX| should be approx. 70% of |IPSTATE_SIZE| and both numbers should be prime. #define IPSTATE_SIZE 5737 #define IPSTATE_MAX 4013 You may use 80989 and 115727. Please read link [1] and [2]. [1] http://msgs.securepoint.com/cgi-bin/get/ipfilter-0603/26/1.html [2] http://www.phildev.net/ipf/IPFques.html#ques25 N. Ersen SISECI http://www.enderunix.org forge yazmış: > > Hello, everyone > > I found there's a const IPSTATE_MAX defined as 4013 in ip_state.h. > > So the total number of ipf state shouldn't exceed 4013, that is, when I > > use ipfstat -s, the active state should be less than 4013. Is it true? > > I think 4013 is not a number large enough for state. I installed ipfilter > > on a freebsd box as the firewall of our lab, but the total connections are > > much more than 4013. Does anyone tell me how I can resolve the problem. > > Much thanks. > > Alex > > > > > --拉风单品低价甩 > <http://freemail2.eyou.com/sys_sig.php?url=aHR0cDovL2V5b3VhZnAuYWxseWVzLmNvbS9tYWluL2FkZmNsaWNrP2RiPWV5b3VhZnAmYmlkPTk1LDgxLDMmY2lkPTczLDksMSZzaWQ9MTY4JmFkdmlkPTQmY2FtaWQ9NCZzaG93PWlnbm9yZSZ1cmw9aHR0cDovL2FkZmFybS5tZWRpYXBsZXguY29tL2FkL2NrLzQwODAtMjI5MDMtOTQ5OS0wP2FpZD1leW91O3RleHQ7MTAzJm1wcm89aHR0cDovL3NlYXJjaC5lYmF5LmNvbS5jbi9fVzBRUWNhdHJlZlpDNlFRZmNjbFoxUVFmY2RaMlFRZmNsWjNRUWZsb2NaMVFRZnJvbVpSMTBRUWZycHBaNTBRUWZzb29aMVFRZnNvcFoxUVFnYTEwMjQ0WjEwNDI1UVFtYXhyZWNvcmRzcmV0dXJuZWRaMzAwUVFzYWNhdFpRMmQxUVFzYXByY2hpWlFRc2FwcmNsb1pRUXNhc2xjWjBRUXNhdGl0bGVaUWU2UThiUTg5UWU5UWEzUThl> > > --http://sms.eyou.com > --无忧二二族、足球大富翁...尽在亿邮短信
