Hi all,
# pfctl -s info
Status: Enabled for 0 days 02:06:25 Debug: Urgent
State Table Total Rate
current entries 42244
searches 626280622 82568.3/s
inserts 30436730 4012.8/s
removals 30394486 4007.2/s
Counters
match 195872398 25823.7/s
bad-offset 0 0.0/s
fragment 177 0.0/s
short 18 0.0/s
normalize 2914 0.4/s
memory 2425600 319.8/s
bad-timestamp 0 0.0/s
congestion 10071 1.3/s
ip-option 58 0.0/s
proto-cksum 0 0.0/s
state-mismatch 178517 23.5/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 342 0.0/s
synproxy 0 0.0/s
It's a bridge-FW PF-based. I only aplly PF on the two NICs which build
the bridge, so 82568.3/s means a 41284 packets per second and per NIC.
The match value is 25823.7/s, so it means that the 31% (aprox) of
packets are evaluated bu rule-sets. So, it also means that 69/70% of
packets 'user' directly a state table lookups.
With this numbers ¿can be the rule-set considered well-build?
Info: Behind de FW there're (among others boxes) two authoritative NS
with a high load (tinydns with 80/120 requests per second).
--
Thanks,
Jordi Espasa Clofent
