With a gig of ram, you'll probably be clear with about 768K states. I'm not sure what happens if the kernel decides it needs to swap....uhhh...swap out the kernel??? what's left to swap it in? :) I predict kernel panic at the point you hit the max allocatable kernel memory. Far worse than what an nmap scan will do to you if it fills 768k states (set your state expiration to aggressive instead of normal - it shouldn't affect "normal" traffic, but will clear out bogus nmap states quicker).
--Bill On 9/19/07, Wade Blackwell <[EMAIL PROTECTED]> wrote: > Thanks Gary, > I am assuming that the box is not going to push state table info > to the disk (too slow). Thanks for that, they may never have made it > to 1,000,000 but what a sad day if they did. Thanks again. > > Wade B > > On 9/19/07, Gary Buckmaster <[EMAIL PROTECTED]> wrote: > > Wade, > > > > FYI, you don't have enough memory to handle 1,000,000 states. When last > > I checked, each state took somewhere between 1k and 3k memory. Having > > your maxstates set to 1,000,000 doesn't hurt, but if you actually open > > up more states than your box can handle, you'll be a sad panda. > > > > -Gary > > > > Wade Blackwell wrote: > > > Thanks Sean, > > > I will give that a try. > > > -W > > > > > > On 9/18/07, Sean Cavanaugh <[EMAIL PROTECTED]> wrote: > > > > > >> Upgrade to 1.2-RC2 first and see if that helps. its based on FreeBSD 6.2 > > >> as > > >> opposed to 6.1 that the 1.0 release was on. > > >> > > >> -Sean > > >> > > >> > > >> ________________________________ > > >> > > >> > Date: Tue, 18 Sep 2007 08:57:09 -0700 > > >> > > >>> From: [EMAIL PROTECTED] > > >>> To: [email protected] > > >>> Subject: [pfSense Support] Sluggish network performance > > >>> > > >>> Good morning, > > >>> I am seeing intermittent performance issues, particularly with > > >>> samba traffic, between the LAN and DMZ. The machine PF is running AMD > > >>> Athlon(tm) processor (950.04-MHz 686-class CPU) with a gig of memory. > > >>> The NICS in the box are xl0: 3Com 3c905B-TX, fxp0: Intel 82558 > > >>> Pro/100, fxp1: <Intel 82557 Pro/100. and dc0: <ADMtek AN985 > > >>> 10/100BaseTX>. PF version is 1.0-RC1. The rulesets on the box are > > >>> almost nothing and the only impacting change is I changed the state to > > >>> 1,000,000 maximum connections (they run allot of nmap scans through > > >>> the box). I know this is a very general issue and there may not be > > >>> enough good information to diagnose it but has anyone seen > > >>> intermittent sluggish samba performance through PF? If so was PF the > > >>> culprit and what did you do to remedy it? The only errors I saw that > > >>> looked related are below. Thanks. > > >>> > > >>> xl0: tx underrun, increasing tx start threshold to 120 bytes > > >>> dc0: TX underrun -- increasing TX threshold > > >>> dc0: TX underrun -- increasing TX threshold > > >>> > > >>> -- > > >>> Wade Blackwell > > >>> "Women don't want to hear what you think, women want to hear what they > > >>> think---in a deeper voice" Bill Cosby > > >>> "Integrity is often more painful and always more profitable than > > >>> perception management" > > >>> > > >>> > > >>> > > >> --------------------------------------------------------------------- > > >> > > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > > >>> For additional commands, e-mail: [EMAIL PROTECTED] > > >>> > > >>> > > >> ________________________________ > > >> Can you find the hidden words? Take a break and play Seekadoo! Play now! > > >> > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > Wade Blackwell > "Women don't want to hear what you think, women want to hear what they > think---in a deeper voice" Bill Cosby > "Integrity is often more painful and always more profitable than > perception management" > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
