I have OpenBSD 3.9 doing load balancing to a farm of web servers (11 web
servers). In the pick hours the traffic jumps over 32Mbits and around
15,000 entries in the states table.
You can check my graph at: http://www.ilievi.net/15days.jpg
The firewall is running on:
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE
real mem = 534290432 (521768K)
avail mem = 480735232 (469468K)
load averages: 0.92, 0.88, 0.83 13:58:18
27 processes: 26 idle, 1 on processor
CPU states: 2.2% user, 0.0% nice, 5.9% system, 12.5% interrupt, 79.4%
idle
Memory: Real: 31M/99M act/tot Free: 398M Swap: 0K/1024M used/tot
My current limit
set limit states 30000
Alexander Lind wrote:
If I have a busy http server or cluster (by busy I mean one that gets
hundreds of thousands of visitors per day), and I use an openbsd
firewall, should I keep state for all incoming http connections, or
should I just pass them all in without state and then pass them all
out without state instead of using states?
I'm afraid the state table will get filled up.
This is on openbsd 3.9
Alec
