Claudio Jeker wrote:
net.inet.ip.redirect has only an effect if you enable
net.inet.ip.forwarding. As you are running a server and not a router I
doubt this is the case. Additionally net.inet.ip.redirect does not modify
the routing table. Your are probably looking at net.inet.icmp.rediraccept.
More reading in the man pages did the truck on that one and yes you are
absolutely right. (;>
I also have the revise my statement on the net.inet.ip.portfirst=32768
effect. In a series of new tests, it doesn't have the impact noted the
first test runs. So, I would keep it as default value as well now. May
be it was when PF was enable that I have more of an impact then. But my
notes are not clear on that specific one.
With many shortliving connections you have a lot of sockets in TIME_WAIT.
Because you are testing from one host only you start to hit these entries
more and more often this often results in a retry from the client.
Additionally by filling all available ports the port allocation algorithm
is starting to get slower but that's a problem that you will only see on
the host :) The accept behaviour of OpenBSD should be fine.
I did test it with a few more hosts and as stated, the OpenBSD default
was right. (;> But I appreciate the additional informations! Thanks.
Anything else you see that may be questionable in what I sent? I am
doing more tests with different hardware to be sure it's all sane value
in the end.
Other wise many thanks for having taken the time to look it over and
give me your feedback on it!
I think there are a few knobs that you should reconsider. I will write an
other mail about that.
That sure would be welcome. I would be curious to see what else, or
differences you may see. I did lots of tests in different setup, but I
am always happy to see improvements.
I have for now my somewhat final version done and looks pretty good.
Much better then before for sure anyway. Now I can enjoy seeing traffic
coming in instead of worry about complains. (;>
But more improvements and suggestions with explications would be welcome
as understanding on my side anyway.
Many thanks!
Daniel