[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Short question



On Thu, Dec 12, 2002 at 03:28:38PM -0300, Alejandro G. Belluscio wrote:
>   This would be a good question to Daniel. Does pf is more
>   [memory|bus|cpu] [bandwidth|latency|amount] constrained when NATing
>   200 machines? Is some easy way to test it? I don't have that setup to
>   make a test, but if someone can comeup with one, I'm willing to try.
Translation like nat, rdr or binat don't consume any additional memory and
little additional CPU time compared to stateful filtering. If you have no
problems filtering x concurrent stateful connections, translating them
with nat will not change things considerably.
As for how many concurrent state entries you can have, a known safe
value is 65000 states per 64MB of memory. So, with 32MB of memory I'd
limit the state table to 32000 entries ('set limit states 32000'). You
can easily test the limit with a couple of concurrent port scans through
the firewall. Now you have 32000 states max for 150+ workstations,
that's 200 concurrent connections per workstation on average. Enough for
web browsing, might get to the limit if many workstations port scan
external hosts or run massive p2p file sharing sessions.
You can limit how many state entries each rule may create, per rule
('keep state (max 100)'), that allows to reserve a number of state
entries for more important protocols/hosts.
Daniel