Re: Best version of IPFilters for Solaris

Mangesh wrote:
> Dear Scott,
>
> I am using OpenBSD 3.0 with ipfilter 3.4.35 and is handling a good
> amount of traffic.
> I have increase IPSTATE_SIZE from 5737 to 500 009 and
> IPSTATE_MAX from 4013 to 350 003
> and currenly working fine for me.
>
> I have tried to with Open BSD 3.5 with ipfilter 4.1.3 works for low
> traffic but if traffic
> goes up then machine gets dump and have to restart the machine so i
> think you should not
> use this combination on production environment ( Anybody on the list
> using this combination ??????? )

I used 4.1.2, 4.1.3 and 4.1next with OpenBSD 3.5. I had to patch 4.1.2
to get it usable, but even with the recent 4.1next we have issues with
the ipfilter box stalling every now and then.

Did you use the ipf ftp-proxy nat module with 4.1.3? I had the feeling
that the stalls may be related to nate'ed ftp traffic. Not sure about
that though.

So I would urge you not to use 4.1.3 right now. Sorry, but I can't tell
you anything about 3.4.x on OpenBSD since my rule set makes heavy use of
macros (to make it editable by ppl not speaking ipfilter). As far as i
know, 3.4.x does not support macros, so i can't downgrade to it.


-- Attila

>
>
> Regards
> Mangesh
>
>
>
> Scott wrote:
>
>> I was wondering what the best (most stable) version of IPFilters would
>> be for a production Solaris 9 box. I had issues with 4.1.3 and can't
>> have my boxes drop on me..
>>
>> Thanks..
>> Scott
>>
>
>